I am sorry for enigmatic topic title, but I did not know how to put it correctly. These are log types:
{vpnclient} Client[10.10.10.10:54576](11764): sending R_KEYCHANGE message
{vpnclient} Client[10.10.10.10:54576](16031): sending R_IPCONFIG message - client IP = 172.11.11.11/255.255.255.0, CEP = 3600 s, DNS = 172.11.1.101, 172.11.1.102
And this is my grok pattern:
^{vpnclient} %{WORD}\[%{IP:[client][ip]}:%{NUMBER:[source][port]}\]\(%{INT:[process][pid]}\): %{GREEDYDATA:message} (:?%{GREEDYDATA:kv_vpn_message})
What i want to do is forward log after hyphen (so - client IP
) to kv
filter.
My problem is - this type of log does not occur always, so i want to wrap the whole grok pattern, so it matches until %{GREEDYDATA:message}
and also %{GREEDYDATA:kv_vpn_message}
, but only when it occurs.
You can use
^{vpnclient} %{WORD}\[%{IP:[client][ip]}:%{NUMBER:[source][port]}\]\(%{INT:[process][pid]}\): %{DATA:message}(?: - %{GREEDYDATA:kv_vpn_message})?$
There are several changes:
%{DATA:message}
- the message
pattern is turned into a non-greedy dot pattern, .*?
, with GREEDYDATA
changed to DATA
(?: - %{GREEDYDATA:kv_vpn_message})?
- is an optional non-capturing group that matches one or zero occurrences of -
and then zero or more chars as many as possible captured into the "kv_vpn_message" group$
- end of string anchor, it allows the "message" DATA
pattern match till the end of line.