{ "v": 1, "id": "b58caaef-418c-44b5-a082-165fa6140cf3", "rev": 2, "name": "GROK Pattern Collection", "summary": "GROK Pattern Collection", "description": "INCLUDES: BASE10NUM BASE16FLOAT BASE16NUM CISCOMAC COMBINEDAPACHELOG COMMA COMMONAPACHELOG COMMONMAC DATA DATE DATE_EU DATE_US DATE_US2 DATESTAMP DATESTAMP_EVENTLOG DATESTAMP_OTHER DATESTAMP_RFC2822 DATESTAMP_RFC822 DAY GREEDYDATA HOST HOSTNAME HOSTPORT HOUR HTTPDATE INT IP IPORHOST IPV4 IPV6 ISO8601_TIMEZONE LOGLEVEL MAC MINUTE MONTH MONTHDAY MONTHNUM MONTHNUM2 NONNEGINT NOTCOMMA NOTSPACE NUMBER PATH POSINT PROG PROTOCOL QS QSORNC QUOTEDQUOTES QUOTEDSTRING QUOTES SECOND SPACE SYSLOGBASE SYSLOGFACILITY SYSLOGHOST SYSLOGPROG SYSLOGTIMESTAMP TIME TIMESTAMP_ISO8601 TTY TZ UNIXPATH URI URIHOST URIPARAM URIPATH URIPATHPARAM URIPROTO USER USERNAME UUID WINDNS_FLAGSCHAR WINDNS_FLAGSHEX WINDNS_IP WINDNS_OPCODE WINDNS_PROTOCOL WINDNS_QTYPE WINDNS_QUERYRESP WINDNS_RESPONSE WINDNS_SNDRCV WINDNS_THREADID WINDNS_TIME WINDOWSMAC WINPATH WORD WORDSWITHDASH YEAR", "vendor": "reighnman ", "url": "https://github.com/reighnman/Graylog_GROK_Pattern_Collection", "parameters": [], "entities": [ { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "5075a062-dd1f-4c92-ba5a-119eb572d9e0", "data": { "name": "WINPATH", "pattern": "(?>[A-Za-z]+:|\\\\)(?:\\\\[^\\\\?*]*)+" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "3d5d5a91-d9ef-4ba2-bad9-58771601a6a4", "data": { "name": "HOSTNAME", "pattern": "\\b(?:[0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\\.(?:[0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\\.?|\\b)" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "167f9f55-6965-4afd-8a5f-ae8d639dceb6", "data": { "name": "BASE16NUM", "pattern": "(?=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "f64fcc1b-2db0-4336-8b66-1f7f7863fd3d", "data": { "name": "UUID", "pattern": "[A-Fa-f0-9]{8}-(?:[A-Fa-f0-9]{4}-){3}[A-Fa-f0-9]{12}" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "b146f1d1-0109-455a-8359-7ba756ae43ec", "data": { "name": "SYSLOGBASE", "pattern": "%{SYSLOGTIMESTAMP:timestamp} (?:%{SYSLOGFACILITY} )?%{SYSLOGHOST:logsource} %{SYSLOGPROG}:" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "1db9288b-f5da-47a1-b7cc-f33469d66103", "data": { "name": "DATESTAMP_RFC822", "pattern": "%{DAY} %{MONTH} %{MONTHDAY} %{YEAR} %{TIME} %{TZ}" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "935d21e4-7122-4601-91ba-469ac57d08ec", "data": { "name": "DATESTAMP_EVENTLOG", "pattern": "%{YEAR}%{MONTHNUM2}%{MONTHDAY}%{HOUR}%{MINUTE}%{SECOND}" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "b5a38719-60ee-4789-ab6d-d06a5c38c80d", "data": { "name": "QS", "pattern": "%{QUOTEDSTRING}" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "ee3f5ddf-ca4f-427e-b9f5-30f24e33fd32", "data": { "name": "WINDNS_FLAGSHEX", "pattern": "([0-9]+)" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "dee4613a-4b93-4a1d-ac59-65eae4dc1853", "data": { "name": "QSORNC", "pattern": "(%{QUOTEDQUOTES}|%{NOTCOMMA})" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "3cde1d52-b389-476a-a9a7-1269108fa1d5", "data": { "name": "SYSLOGTIMESTAMP", "pattern": "%{MONTH} +%{MONTHDAY} %{TIME}" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "b0dec445-0c21-4647-90b7-94a8d08c5c23", "data": { "name": "TZ", "pattern": "(?:[PMCE][SD]T|UTC)" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "0e0d63ce-ccf3-43f3-b354-022fec2d3394", "data": { "name": "WINDNS_QUERYRESP", "pattern": "(\\s+R\\s+|\\s+)" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "fa80ecb3-2703-40d1-a84c-d625d71d3c84", "data": { "name": "MONTH", "pattern": "\\b(?:Jan(?:uary)?|Feb(?:ruary)?|Mar(?:ch)?|Apr(?:il)?|May|Jun(?:e)?|Jul(?:y)?|Aug(?:ust)?|Sep(?:tember)?|Oct(?:ober)?|Nov(?:ember)?|Dec(?:ember)?)\\b" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "ae1cba0c-982d-4be4-a173-d96de3db9164", "data": { "name": "QUOTEDSTRING", "pattern": "(?>(?\"(?>\\\\.|[^\\\\\"]+)+\"|\"\"|(?>'(?>\\\\.|[^\\\\']+)+')|''|(?>`(?>\\\\.|[^\\\\`]+)+`)|``))" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "6c18f61b-07ee-4cc8-b061-7b659cdcf329", "data": { "name": "LOGLEVEL", "pattern": "([A|a]lert|ALERT|[T|t]race|TRACE|[D|d]ebug|DEBUG|[N|n]otice|NOTICE|[I|i]nfo|INFO|[W|w]arn?(?:ing)?|WARN?(?:ING)?|[E|e]rr?(?:or)?|ERR?(?:OR)?|[C|c]rit?(?:ical)?|CRIT?(?:ICAL)?|[F|f]atal|FATAL|[S|s]evere|SEVERE|EMERG(?:ENCY)?|[Ee]merg(?:ency)?)" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "556ab03b-c449-4d88-a818-4650d6efea76", "data": { "name": "MONTHNUM2", "pattern": "(?:0[1-9]|1[0-2])" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "9d76e002-9f7c-4b56-975a-95b0da916482", "data": { "name": "WINDOWSMAC", "pattern": "(?:(?:[A-Fa-f0-9]{2}-){5}[A-Fa-f0-9]{2})" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "1cd99e13-a1ec-41b9-91b7-5747142ffe24", "data": { "name": "URIPROTO", "pattern": "[A-Za-z]+(\\+[A-Za-z+]+)?" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "d5c00b55-3412-4c7d-934e-ff2f2eff540c", "data": { "name": "SECOND", "pattern": "(?:[0-5][0-9])" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "3d6f553b-7aeb-44db-adc5-98dcbcd67314", "data": { "name": "WORDSWITHDASH", "pattern": "([A-Za-z0-9\\-\\_]+)" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "82333e23-2f2c-4bc9-9156-26826f6d3a70", "data": { "name": "ISO8601_TIMEZONE", "pattern": "(?:Z|[+-]%{HOUR}(?::?%{MINUTE}))" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "abb6286c-8a2c-4a39-bc91-164862d9d44d", "data": { "name": "SYSLOGPROG", "pattern": "%{PROG:program}(?:\\[%{POSINT:pid}\\])?" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "f16988f3-a7fc-4490-a029-2c8ce6ca7274", "data": { "name": "SPACE", "pattern": "\\s*" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "6d3ab953-d424-45e8-a47b-46631df6fa41", "data": { "name": "MAC", "pattern": "(?:%{CISCOMAC}|%{WINDOWSMAC}|%{COMMONMAC})" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "9f7f35d3-2f60-4741-ad88-bf8c0daf8b13", "data": { "name": "SYSLOGFACILITY", "pattern": "<%{NONNEGINT:facility}.%{NONNEGINT:priority}>" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "e58f8ff4-b2b7-4760-a78e-906077842b5f", "data": { "name": "PROG", "pattern": "(?:[\\w._/%-]+)" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "1534d00c-54e6-4a9c-967f-5bc8f9298601", "data": { "name": "TIMESTAMP_ISO8601", "pattern": "%{YEAR}-%{MONTHNUM}-%{MONTHDAY}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})?%{ISO8601_TIMEZONE}?" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "169c8618-2465-41f9-94f7-855ead54c725", "data": { "name": "WINDNS_FLAGSCHAR", "pattern": "(\\s+[A|T|D|R]{1,4}\\s+)|(\\s+[A|T|D|R]{1,4}\\s+[A|T|D|R]{1,4}\\s+)|(\\s+[A|T|D|R]{1,4}\\s+[A|T|D|R]{1,4}\\s+[A|T|D|R]{1,4}\\s+)|\\s+" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "25aa3a47-7bf8-411c-96e1-04f1f84e6f76", "data": { "name": "COMMONAPACHELOG", "pattern": "%{IPORHOST:clientip} %{USER:ident} %{USER:auth} \\[%{HTTPDATE:timestamp}\\] \"(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})\" %{NUMBER:response} (?:%{NUMBER:bytes}|-)" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "f4890508-1501-4fb7-922b-8a5e07afd10f", "data": { "name": "DATE_US2", "pattern": "%{YEAR}[/-]%{MONTHNUM}[/-]%{MONTHDAY}" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "24f2b2a7-1771-4791-9c43-80029e2c66bc", "data": { "name": "IPORHOST", "pattern": "(?:%{HOSTNAME}|%{IP})" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "06d328b9-9940-45a9-a27f-352b06625ffa", "data": { "name": "ISO8601_SECOND", "pattern": "(?:%{SECOND}|60)" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "bdb965e1-da68-4403-8148-fa0352dbca1d", "data": { "name": "MINUTE", "pattern": "(?:[0-5][0-9])" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "513b19ed-bab9-4238-8d7e-9a051d904e2f", "data": { "name": "URI", "pattern": "%{URIPROTO}://(?:%{USER}(?::[^@]*)?@)?(?:%{URIHOST})?(?:%{URIPATHPARAM})?" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "dfccf17f-3ca3-4d90-be77-4eed05ff1818", "data": { "name": "WINDNS_SNDRCV", "pattern": "(Snd|Rcv)" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "3883237c-be89-4e66-a79a-dbd2e21fd842", "data": { "name": "IP", "pattern": "(?:%{IPV6}|%{IPV4})" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "238ef8b4-4451-4ece-9512-3faa69f06146", "data": { "name": "UNIXPATH", "pattern": "(?>/(?>[\\w_%!$@:.,-]+|\\\\.)*)+" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "3938827f-4c12-4441-b88b-0c954733ec99", "data": { "name": "COMMA", "pattern": "," }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "815787ab-df71-4f63-8e53-be513c62978e", "data": { "name": "WINDNS_IP", "pattern": "(?=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "941f5863-14cb-4e74-8573-7d29b589970f", "data": { "name": "COMMONMAC", "pattern": "(?:(?:[A-Fa-f0-9]{2}:){5}[A-Fa-f0-9]{2})" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "ee507dee-5966-46a9-90e8-c99f6eab73b5", "data": { "name": "DAY", "pattern": "(?:Mon(?:day)?|Tue(?:sday)?|Wed(?:nesday)?|Thu(?:rsday)?|Fri(?:day)?|Sat(?:urday)?|Sun(?:day)?)" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "f58d2ecf-9786-4059-a6d4-69dbea231fe3", "data": { "name": "YEAR", "pattern": "(?>\\d\\d){1,2}" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "784cb7f2-2ab5-47a1-b5a9-b1f1bc307702", "data": { "name": "GREEDYDATA", "pattern": ".*" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "4ef74fc7-1733-4ccf-9496-59f6a5dd0859", "data": { "name": "DATE_US", "pattern": "%{MONTHNUM}[/-]%{MONTHDAY}[/-]%{YEAR}" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "ae33a39d-151c-4f04-b951-1499fce23162", "data": { "name": "COMBINEDAPACHELOG", "pattern": "%{COMMONAPACHELOG} %{QS:referrer} %{QS:agent}" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "c89296a6-b670-4d1c-a2b0-33ab86a86fbc", "data": { "name": "DATE_EU", "pattern": "%{MONTHDAY}[./-]%{MONTHNUM}[./-]%{YEAR}" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "d4d9f304-bbb3-4834-996f-bea0f5ec64d3", "data": { "name": "HOUR", "pattern": "(?:2[0123]|[01]?[0-9])" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "9b94598d-84e3-4f0d-8867-47cb3220889d", "data": { "name": "NOTCOMMA", "pattern": "[^,]+" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "c476e976-6a56-4e5a-8107-a24d30da8bfa", "data": { "name": "WINDNS_RESPONSE", "pattern": "([A-Z]+)" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "7e4f11ad-8855-41f5-bafc-542f30eeee74", "data": { "name": "BASE10NUM", "pattern": "(?[+-]?(?:(?:[0-9]+(?:\\.[0-9]+)?)|(?:\\.[0-9]+)))" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "462f096a-f259-4166-b6c1-05e67b7b2859", "data": { "name": "WINDNS_PROTOCOL", "pattern": "(UDP|TCP)" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "5dc7fd34-2981-4a75-be63-1c22a9dc5120", "data": { "name": "IPV6", "pattern": "((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)){3}))|:)))(%.+)?" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "9e9af39f-f381-4cf6-bfb0-6785d83dce47", "data": { "name": "MONTHDAY", "pattern": "(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9])" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "54b0ff03-5847-4679-9deb-8d057ac2823b", "data": { "name": "TTY", "pattern": "(?:/dev/(pts|tty([pq])?)(\\w+)?/?(?:[0-9]+))" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "bb2b7c1f-00c7-42a1-b158-1e77a2cbc7b9", "data": { "name": "WINDNS_NAME", "pattern": "(?:\\s+.+|)" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "e3c7e216-2b1e-48bf-9014-0c610c3271c5", "data": { "name": "NOTSPACE", "pattern": "\\S+" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "a407a211-da24-4a26-b804-828884e4e96c", "data": { "name": "DATESTAMP_OTHER", "pattern": "%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{TZ} %{YEAR}" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "d7d39cb8-dc6b-418b-9dd1-890f9b73390f", "data": { "name": "NONNEGINT", "pattern": "\\b(?:[0-9]+)\\b" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "d4f6e446-b2cb-4ed4-b5ad-4a563bd3805a", "data": { "name": "USER", "pattern": "%{USERNAME}" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "49ff9853-1c64-41a8-aa1a-b82dfdb26709", "data": { "name": "DATE", "pattern": "%{DATE_US}|%{DATE_EU}" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "e274dc49-31ec-4a72-aef8-5b45d18862ea", "data": { "name": "WINDNS_XID", "pattern": "([a-z0-9]{4})" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "c4afe943-5738-403c-80a8-7fcf6b032e87", "data": { "name": "URIHOST", "pattern": "%{IPORHOST}(?::%{POSINT:port})?" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "55697053-bdb6-43d9-b0a3-9ad6034dba9d", "data": { "name": "DATA", "pattern": ".*?" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "76186c14-15ea-4157-8df7-dd8d038b23f7", "data": { "name": "SYSLOGHOST", "pattern": "%{IPORHOST}" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "a976acbf-3fe3-48e0-8772-4e78be323ea7", "data": { "name": "BASE16FLOAT", "pattern": "\\b(?=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "ab645b7d-aa2a-4120-b0f8-db3fcb6183b1", "data": { "name": "DATESTAMP_RFC2822", "pattern": "%{DAY}, %{MONTHDAY} %{MONTH} %{YEAR} %{TIME} %{ISO8601_TIMEZONE}" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "d023a98d-8bee-40e5-870b-1f96ce928f2a", "data": { "name": "PATH", "pattern": "(?:%{UNIXPATH}|%{WINPATH})" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "79634924-cc1a-4e0c-8e41-6a40bcc56dcf", "data": { "name": "MONTHNUM", "pattern": "(?:0?[1-9]|1[0-2])" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "9a07fe44-63dc-4a33-ad3a-d7954246e081", "data": { "name": "HTTPDATE", "pattern": "%{MONTHDAY}/%{MONTH}/%{YEAR}:%{TIME} %{INT}" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "ce25ebb8-a115-41d5-8a5f-115ddda93fe2", "data": { "name": "URIPARAM", "pattern": "\\?[A-Za-z0-9$.+!*'|(){},~@#%&/=:;_?\\-\\[\\]]*" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "028c5bb6-276b-48a5-af8a-9a20ac3ba8ba", "data": { "name": "WINDNS_QTYPE", "pattern": "(?:\\s\\S+|)" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "42fb52c4-361e-441a-97a9-73630b0a88f5", "data": { "name": "PROTOCOL", "pattern": "(TCP|UDP|ICMP)" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "1880262e-44cb-4d08-af6e-96eb7423ecdc", "data": { "name": "INT", "pattern": "(?:[+-]?(?:[0-9]+))" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "3246e252-dbdc-4dc2-8013-6899082b92cd", "data": { "name": "WINDNS_THREADID", "pattern": "[a-zA-Z0-9]{4}" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "e109b87e-df85-48a2-b18e-ade846fa06a5", "data": { "name": "QUOTEDQUOTES", "pattern": "(\"((?:[^\"]|\"\")*+)\")" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "697dc92b-6b49-477a-a0a8-ce599bd92528", "data": { "name": "CISCOMAC", "pattern": "(?:(?:[A-Fa-f0-9]{4}\\.){2}[A-Fa-f0-9]{4})" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "6ae52298-b374-4643-b9c2-ed76a153dc8b", "data": { "name": "QUOTES", "pattern": "/\"(.+)\"/" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "e62f75b7-9a9b-49e3-aa6f-956572875008", "data": { "name": "URIPATHPARAM", "pattern": "%{URIPATH}(?:%{URIPARAM})?" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "b85dd3e8-7d1c-4711-9e3b-ebfa617fbe73", "data": { "name": "TIME", "pattern": "(?!<[0-9])%{HOUR}:%{MINUTE}(?::%{SECOND})(?![0-9])" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "61c20dd8-628d-4e21-942d-d4d9f7ef5e83", "data": { "name": "USERNAME", "pattern": "[a-zA-Z0-9._-]+" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "6ba9f81b-7930-4231-8508-39ed1ae53a01", "data": { "name": "WORD", "pattern": "\\b\\w+\\b" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "a7a24e86-0989-4443-9849-f422674dd59c", "data": { "name": "IPV4", "pattern": "(?=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "bc20a03c-e366-472c-b88a-afc5c53de1dc", "data": { "name": "WINDNS_OPCODE", "pattern": "([A-Z]{1})" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "d9a44965-4d31-4320-9ceb-507e38f0aeab", "data": { "name": "DATESTAMP", "pattern": "%{DATE}[- ]%{TIME}" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "67dd5ca7-beaf-4f85-9ca8-732a2a545dcd", "data": { "name": "URIPATH", "pattern": "(?:/[A-Za-z0-9$.+!*'(){},~:;=@#%_\\-]*)+" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "f55641eb-bd25-47f9-ab1c-dfeccda9e3c1", "data": { "name": "POSINT", "pattern": "\\b(?:[1-9][0-9]*)\\b" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "83aa549f-5abc-4bc7-a03a-73080a9b273d", "data": { "name": "WINDNS_TIME", "pattern": "(?:0?[1-9]|1[0-2])[/-](?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9])[/-](?>\\d\\d){1,2}\\s(?!<[0-9])(?:2[0123]|[01]?[0-9]):(?:[0-5][0-9]):(?:(?:[0-5]?[0-9]|60)(?:[:.,][0-9]+)?)\\s(A|P)M" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] }, { "v": "1", "type": { "name": "grok_pattern", "version": "1" }, "id": "63e10758-357e-4d12-8c14-2ebad81f5ded", "data": { "name": "NUMBER", "pattern": "(?:%{BASE10NUM})" }, "constraints": [ { "type": "server-version", "version": ">=3.0.2+1686930" } ] } ] }