Matching multiple lines in grok

jaap.anjaria · August 9, 2023, 7:10am

I want to match the following Windows log using a grok expression:-

LogName=Security
EventCode=4689
EventType=0
TaskCategory=Process Termination
Type=Information
RecordNumber=6828379

How can I match new-line characters in grok.

The above log in a single line can be matched using the following expression:-

LogName=%{DATA:log_name} EventCode=%{INT:event_code} EventType=%{INT:event_type} TaskCategory=%{DATA:task_category} Type=%{NOTSPACE:type} RecordNumber=%{NOTSPACE:recordNumber}'

But when I add \s or \r\n in the above expression and try to match a newline character in the above log, it fails to match the newline character because I feel it trying to match from the very beginning of the grok expression. What should be the grok expression for the 6 line log mentioned above?

alex.paramonov · August 10, 2023, 4:00pm

Hi,
can you please clarify, what you are trying to achieve?
Anyway, you can use JS script to parse anything.
Please, explain your challenge, and I help you.

Thanks!