`parse_groks` fails to parse grok

Question

`parse_groks` fails to parse grok

Closed this issue 3 months ago · 1 comments

When using parse_groks to parse a PAM session line from linux auth logs, it fails to parse with the exact same grok used in parse_grok. Now I know that these functions use different implementations of grok, but I see that the implementation used by parse_grok is what gets the job done in this case as tested on grokdebugger here

line to parse: pam_unix(cron:session): session opened for user root(uid=0) by (uid=0)
Parsing using parse_grok:
- VRL code:
  . = parse_groks!(.message, patterns: [ "(?=%{GREEDYDATA:message})%{WORD:pam_module}\\(%{DATA:pam_caller}\\): session %{WORD:pam_session_state} for user %{USERNAME:username}(?: by %{GREEDYDATA:pam_by})?"], )
- Result:
Parsing using parse_grok:
- VRL code:
  . = parse_grok!(.message, "(?=%{GREEDYDATA:message})%{WORD:pam_module}\\(%{DATA:pam_caller}\\): session %{WORD:pam_session_state} for user %{USERNAME:username}(?: by %{GREEDYDATA:pam_by})?" )
- Result:

Answer 1 · 2024-10-04T19:04:41.000Z

I think this is another instance of #65 . The handling should be consistent between these two functions. I'll close this as a duplicate, but feel free to follow along with the other issue.