Unexpected pattern match behaviour

Question

Unexpected pattern match behaviour

grownuphacker opened this issue 2 years ago · 2 comments

Using the test data:
- - - 2022-12-23T05:25:05.584Z ERROR vsan-mgmt[20337] [VsanHttpRequestWrapper::urlopen opID=noOpId] Exception while sending request : <urlopen error timed out>

and the pattern:
- - - %{TIMESTAMP_ISO8601} %{NOTSPACE:event_severity} %{PROG:event_process}\[%{INT:event_pid}\] \[%{NOTSPACE:event_thread_name}( sub=%{NOTSPACE:event_sub_thread})? (?i)opid=%{NOTSPACE:event_operation_id}\]

Matches up until the final sementic (event_operation_id). This field is not populated and any further fields are right-shifted. The exact same test data on multiple other grok debuggers does not give the same result.

Answer 1 · 2023-01-12T16:25:57.000Z

Hi, thanks for letting me know. I'll have to dig into this. It's probably an issue with the dependency https://github.com/cjslack/grok-js-web, which was forked from https://github.com/Beh01der/node-grok

I would avoid using flag modifiers for now. Alternatively, for your specific example you can do something like this to achieve the desired result:

op(id|ID)=%{NOTSPACE:event_operation_id}\]

Full example here

Answer 2 · 2023-01-16T15:36:58.000Z

Thanks. I appreciate the workaround - and the tool, it's very useful.