question Re: ExtractGrok processor - Writing Regex to parse Cisco syslog in Archives of Support Questions (Read Only)

ExtractGrok processor - Writing Regex to parse Cisco syslog

jayanthimala_ja — Sat, 03 Mar 2018 06:18:39 GMT

I am running the Nifi on Docker. Nifi ParseSyslog fails for Cisco syslog, so trying to write custom regex parsing using Extract Grok processor.

What is the Grok pattern file to be provided? I provided Grok expression, but it still looks for Grok pattern file.

Any pointers on this will help. Thanks!

Re: ExtractGrok processor - Writing Regex to parse Cisco syslog

pvillard — Sat, 03 Mar 2018 18:16:02 GMT

Hi Jay,

You need to provide a file such as

https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/resources/TestExtractGrok/patterns

You could also use the ConvertRecord processor with a GrokReader. In this case there is already a default pattern file pre-loaded with the reader.

Hope this helps,

Pierre

Re: ExtractGrok processor - Writing Regex to parse Cisco syslog

jayanthimala_ja — Tue, 06 Mar 2018 00:24:36 GMT

@Pierre Villard - Thanks for the reply. I looked at this pattern file. But I am not sure how to link this file to Grok pattern file on nifi.

I am running it on docker compose, so how do i store this pattern file and what path to provide in the Nifi?

Re: ExtractGrok processor - Writing Regex to parse Cisco syslog

jayanthimala_ja — Wed, 07 Mar 2018 02:14:51 GMT

I got the pattern file created and used in Nifi.

I am using this in grok expression:

<(?<priority>[0-9]+)>(?<sequence>[0-9]+): *(\*)?%{CISCOTIMESTAMP}: (?<host>[a-zA-Z0-9_]+): %(?<facility>[A-Z0-9_]+)-(?<severity>[0-7]+)-(?<mnemonic>[A-Z0-9_]+): (?<message>.+)

grok pattern file - https://github.com/apache/nifi/blob/master/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/test/resources/TestExtractGrok/patterns

This expression works fine on Grok debugger site - http://grokdebug.herokuapp.com/. But not on Nifi. What am i doing wrong?

Sample cisco router log data i am using:

<189>22: *Apr 29 13:58:40.411: user: %SYS-5-CONFIG_I: Configured from console by console

Re: ExtractGrok processor - Writing Regex to parse Cisco syslog

jayanthimala_ja — Wed, 07 Mar 2018 03:19:27 GMT

I got it working. I had to add the custom naming fields used in the Grok expression into the pattern file.

Re: ExtractGrok processor - Writing Regex to parse Cisco syslog

mabr — Mon, 17 Feb 2020 11:18:43 GMT

Hi, can you explain how did you solve this problem?