Brackets in field name

[pete-leese]

Hey,

Here is my Grok query but for some reason it cannot find a match when I have the brackets in the Referrer and user agent name.

%{TIMESTAMP_ISO8601:logtime} %{WORD:s-sitename} %{WORD:s-computername} %{IPORHOST:s-ip} %{WORD:cs-method} %{NOTSPACE:cs-uri-stem} %{NOTSPACE:cs-uri-query} %{NUMBER:s-port} %{NOTSPACE:cs-username} %{IPORHOST:c-ip} %{NOTSPACE:cs-version} %{NOTSPACE:cs(User-Agent)} %{NOTSPACE:cs(Referer)} %{IPORHOST:cs-host} %{NUMBER:sc-status} %{NUMBER:sc-substatus} %{NUMBER:c-win32-status} %{NUMBER:sc-bytes} %{NUMBER:cs-bytes} %{NUMBER:time-taken}

Example log item:

2018-02-02 00:01:32 W3SVC1 UKAPPSVR 172.18.131.173 GET /123/I/Home/PLMonstants - 80 Joe+Bloggs 172.18.17.185 HTTP/1.1 Mozilla/5.0+(Windows+NT+6.1;+Trident/7.0;+rv:11.0)+like+Gecko https://blahblah.co.uk/theappname/live/app/thingy localhost 200 0 0 3393 2644 90

was using http://grokconstructor.appspot.com/do/match to validate?

Any ideas what I could be doing wrong or if there is something I can change with the query string to work around the bracket issue.

Thanks.

Pete

[pete-leese]

Is this project still alive?

[mateusz-jablonski94]

Hi @VR6Pete
We are using vjeantet/grok library (https://github.com/vjeantet/grok) for matching iis fields.
Probably brackets in filed names are not allowed in this library and therefore our exporter can't find a match. Yes, we were using http://grokconstructor.appspot.com/do/match for testing and it also can't find a match if you use brackets.