Grok pattern example

grok-test.rb

require 'rubygems'
require 'grok-pure'
require 'awesome_print'

grok = Grok.new

#grok.add_patterns_from_file("/home/logstash/patterns/bigip-f5.patterns")
grok.add_patterns_from_file("/home/logstash/patterns/payload.patterns")
grok.add_patterns_from_file("/opt/logstash/patterns/grok-patterns")

headers = '"User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.13.6.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2 Host: 192.168.19.125 Accept: */* Cookie: f5_debug=y "'
puts "Headers = #{headers}"

headers_pattern = '%{HEADERS:headers}'
grok.compile(headers_pattern)
puts "HEADERS_PATTERN: #{headers_pattern}"
puts "Full: #{grok.expanded_pattern}"

if grok.match(headers)
  puts "#{ap grok.match(headers).captures()}"
else
  puts "No headers matched"
end

output.log

$ ruby grokparse-headers-test.rb
Headers = "User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.13.6.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2 Host: 192.168.19.125 Accept: */* Cookie: f5_debug=y "
HEADERS_PATTERN: %{HEADERS:headers}
Full: (?<a0>(?:(\b[\w\-]*:[\s][\w\/\.\s\(\)\-=\*]*)\s))
{
    "HEADERS:headers" => [
        [0] "User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.13.6.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2 "
    ]
}
{"HEADERS:headers"=>["User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.13.6.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2 "]}

payload.patterns

# Payload patterns
HEADERS (?:(\b[\w\-]*:[\s][\w\/\.\s\(\)\-=\*]*)\s)

Desired output is:

{"HEADERS:headers" =>
[
  "User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.13.6.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2 ",
  "Host: 192.168.19.125 ",
  "Accept: */* ",
  "Cookie: f5_debug=y "
]}

Desired output is:

{"HEADERS:headers" =>
[
  "User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.13.6.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2 ",
  "Host: 192.168.19.125 ",
  "Accept: */* ",
  "Cookie: f5_debug=y "
]}