7.10.1 upgrade and GrokProcessor Error

After I upgraded to 7.10.1
I am started getting following error.
more investigation turn up following links to fix it.

https://github.com/elastic/beats/issues/15840

https://discuss.elastic.co/t/es-7-6-regular-expression-has-redundant-nested-repeat-operator/220835/5

should I just simply remove pipeline/filebeat-* ?
I don't use filebeat pipeline at all. what does it use for?

[2020-12-26T01:23:40,245][WARN ][o.e.i.c.GrokProcessor    ] [elkm05] regular expression has redundant nested repeat operator * /(?:(?:\[(?<TIMESTAMP_ISO8601:elasticsearch.server.timestamp>(?:(?>\d\d){1,2})-(?:(?:0?[1-9]|1[0-2]))-(?:(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9]))[T ](?:(?:2[0123]|[01][0-9])):?(?:(?:[0-5][0-9]))(?::?(?:(?:(?:[0-5]?[0-9]|60)(?:[:.,][0-9]+)?)))?(?:(?:Z|[+-](?:(?:2[0123]|[01]?[0-9]))(?::?(?:(?:[0-5][0-9])))))?)\]\[(?<LOGLEVEL:log.level>([Aa]lert|ALERT|[Tt]race|TRACE|[Dd]ebug|DEBUG|[Nn]otice|NOTICE|[Ii]nfo|INFO|[Ww]arn?(?:ing)?|WARN?(?:ING)?|[Ee]rr?(?:or)?|ERR?(?:OR)?|[Cc]rit?(?:ical)?|CRIT?(?:ICAL)?|[Ff]atal|FATAL|[Ss]evere|SEVERE|EMERG(?:ENCY)?|[Ee]merg(?:ency)?))(?:\s*)?\]\[(?<DATA:elasticsearch.component>.*?)(?:\s*)\]((?:\s*))?(\[(?<DATA:elasticsearch.node.name>.*?)\])?((?:\s*))?)(?:\[gc\]\[(?<NUMBER:elasticsearch.server.gc.overhead_seq>(?:(?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+))))))\] overhead, spent \[(?<NUMBER:elasticsearch.server.gc.collection_duration.time:float>(?:(?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+))))))(?<DATA:elasticsearch.server.gc.collection_duration.unit>.*?)\] collecting in the last \[(?<NUMBER:elasticsearch.server.gc.observation_duration.time:float>(?:(?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+))))))(?<DATA:elasticsearch.server.gc.observation_duration.unit>.*?)\]))|(?:(?:\[(?<TIMESTAMP_ISO8601:elasticsearch.server.timestamp>(?:(?>\d\d){1,2})-(?:(?:0?[1-9]|1[0-2]))-(?:(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9]))[T ](?:(?:2[0123]|[01][0-9])):?(?:(?:[0-5][0-9]))(?::?(?:(?:(?:[0-5]?[0-9]|60)(?:[:.,][0-9]+)?)))?(?:(?:Z|[+-](?:(?:2[0123]|[01]?[0-9]))(?::?(?:(?:[0-5][0-9])))))?)\]\[(?<LOGLEVEL:log.level>([Aa]lert|ALERT|[Tt]race|TRACE|[Dd]ebug|DEBUG|[Nn]otice|NOTICE|[Ii]nfo|INFO|[Ww]arn?(?:ing)?|WARN?(?:ING)?|[Ee]rr?(?:or)?|ERR?(?:OR)?|[Cc]rit?(?:ical)?|CRIT?(?:ICAL)?|[Ff]atal|FATAL|[Ss]evere|SEVERE|EMERG(?:ENCY)?|[Ee]merg(?:ency)?))(?:\s*)?\]\[(?<DATA:elasticsearch.component>.*?)(?:\s*)\]((?:\s*))?(\[(?<DATA:elasticsearch.node.name>.*?)\])?((?:\s*))?)(?:\[gc\]\[young\]\[(?<NUMBER:elasticsearch.server.gc.young.one>(?:(?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+))))))\]\[(?<NUMBER:elasticsearch.server.gc.young.two>(?:(?:(?<![0-9.+-])(?>[+-]?(?:(?:[0-9]+(?:\.[0-9]+)?)|(?:\.[0-9]+))))))\](?:\s*)(?<GREEDYMULTILINE:message>(.|
)*)))|(?:(?:\[(?<TIMESTAMP_ISO8601:elasticsearch.server.timestamp>(?:(?>\d\d){1,2})-(?:(?:0?[1-9]|1[0-2]))-(?:(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9]))[T ](?:(?:2[0123]|[01][0-9])):?(?:(?:[0-5][0-9]))(?::?(?:(?:(?:[0-5]?[0-9]|60)(?:[:.,][0-9]+)?)))?(?:(?:Z|[+-](?:(?:2[0123]|[01]?[0-9]))(?::?(?:(?:[0-5][0-9])))))?)\]\[(?<LOGLEVEL:log.level>([Aa]lert|ALERT|[Tt]race|TRACE|[Dd]ebug|DEBUG|[Nn]otice|NOTICE|[Ii]nfo|INFO|[Ww]arn?(?:ing)?|WARN?(?:ING)?|[Ee]rr?(?:or)?|ERR?(?:OR)?|[Cc]rit?(?:ical)?|CRIT?(?:ICAL)?|[Ff]atal|FATAL|[Ss]evere|SEVERE|EMERG(?:ENCY)?|[Ee]merg(?:ency)?))(?:\s*)?\]\[(?<DATA:elasticsearch.component>.*?)(?:\s*)\]((?:\s*))?(\[(?<DATA:elasticsearch.node.name>.*?)\])?((?:\s*))?)(?:\s*)((\[(?<INDEXNAME:elasticsearch.index.name>[a-zA-Z0-9_.-]*)\]|\[(?<INDEXNAME:elasticsearch.index.name>[a-zA-Z0-9_.-]*)\/(?<DATA:elasticsearch.index.id>.*?)\]))?(?:\s*)(?<GREEDYMULTILINE:message>(.|

well I got no response and I didn't see anything on web.

hence just remove that filebeat-7.3* pipeline and cluster is still up and running.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.