remove named capture groups from predefined grok patterns
LucaWintergerst opened this issue · 0 comments
Named capture groups create new fields in logstash and can cause unexpected behaviour. In most patterns that is not the case, but a handful of them name some fields.
For example, when using the URIHOST grok pattern, a field with the name port is created as one of the capture groups is named in the pattern definition.
Changing this would be a breaking change as some users might be relying on this behaviour. We could fix this in time for 7.x
URIHOST %{IPORHOST}(?::%{POSINT:port})?
should be changed to
URIHOST %{IPORHOST}(?::%{POSINT})?
My suggestion is to remove all named capture groups from https://github.com/logstash-plugins/logstash-patterns-core/blob/master/patterns/grok-patterns
Other patterns should continue to have name groups to make them easier to use, for example https://github.com/logstash-plugins/logstash-patterns-core/blob/master/patterns/haproxy