user5038347

Asked: 2016-06-13 23:43:40 +0800 CST2016-06-13 23:43:40 +0800 CST 2016-06-13 23:43:40 +0800 CST

Logstash Grok Filter

I'm sure there is a simple solution to this but I'm new to working Logstash. The filter I'm trying to apply is for some firewall logs and I have a field that will either have a single or two values separated by a colon.

X16-V523 X16-V523:example.com

I have been using for the line with two values,

%{GREEDYDATA:srcint}:%{GREEDYDATA:srchost}

How do i make the second part of the match optional?

Chris

1 Answers

Voted

Jacob Evans
2016-06-14T05:30:00+08:002016-06-14T05:30:00+08:00
This should do it.

(%{GREEDYDATA:srcint}:%{GREEDYDATA:srchost})|(%{GREEDYDATA:srcint})

also test with http://grokdebug.herokuapp.com/
0

Logstash Grok Filter

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?