Broken Grok filter since V7.10.0

Landong.Zuo · January 25, 2022, 5:45pm

Hi ,
I've recently upgraded logstash from V7.6.0 to V7.16.3. and have seen some odd behaviors of Grok filter since then.

filter {
        grok {
                patterns_dir => "C:\software\ELK\config\patterns"

                        match=> { "message" => "%{CFLOG}" }
                        add_tag => "has_traceback"
                        tag_on_failure=>[]
                        break_on_match=>false
                        match=> { "uri_stem" =>"%{REQUESTURL}"}
                        match=> {"uri_stem" =>"%{DATATYPE}"}
                        match=> {"atime" => "%{STIME}"}

CFLOG ^%{CFDATE:adate}\s+%{TIME:atime}\s+%{NOTSPACE:x_edge_location}\s+%{NUMBER:bytes}\s+%{IP:clientip}\s+%{WORD:verb}\s+%{NOTSPACE}\s+%{NOTSPACE:uri_stem}\s+%{NUMBER:response}\s+%{NOTSPACE:referer}\s+%{NOTSPACE:agent}\s+%{NOTSPACE:uri_query}\s+%{NOTSPACE:cookies}\s+%{NOTSPACE:x_edge_result_type}\s+%{NOTSPACE}\s+%{NOTSPACE}\s+%{NOTSPACE:cs_protocol}\s+%{NUMBER:cs_bytes}\s+%{NOTSPACE:time_taken}\s+%{NOTSPACE:x_forwarded_for}\s+%{NOTSPACE:ssl_protocol}\s+%{NOTSPACE:ssl_cipher}\s+%{WORD:x_edge_response_result_type}\s+%{NOTSPACE:cs_protocol_version}

REQUESTURL /(%{URLFRAGMENT:lang}/)?%{LEGTYPE:legtype}/%{LEGYEAR:legyear}/%{URLFRAGMENT:legnum}?%{GREEDYDATA:legrest}

it appears that above rules worked for all versions prior to V.7.10.0. However, the rule match=> { "uri_stem" =>"%{REQUESTURL}"} failed to match and returned empty matches in any version between V7.10.0 and V7.16.3.
I am wondering if there was any breaking changes of Grok syntax at V7.10.0?
I also tried grok rules in Kibana's grok debugger (V7.16.3), all works fine.

Regards,
Landong

Badger · January 25, 2022, 7:15pm

You are making an assumption about the order in which multiple occurrences of the match option are combined. logstash does not guarantee the order and l know it changed a while back. From first-to-last to last-to-first (I think), so grok is trying to match [uri_stem] before it has been created by matching [message]

As far as I know, order is preserved within a single hash (i.e. a single occurrence of the match option) but the order in which multiple hashes are merged is not defined.

So, do not use multiple occurrences. I would suggest trying

    add_tag => "has_traceback"
    tag_on_failure=>[]
    break_on_match=>false
    match=> { 
        "message" => "%{CFLOG}"
        "uri_stem" =>"%{REQUESTURL}"
        "uri_stem" =>"%{DATATYPE}"
        "atime" => "%{STIME}"
    }

If that does not work then split it into two groks - one for [message] and another for the rest.

Landong.Zuo · January 26, 2022, 2:09pm

Thanks Badger,
I did split it into two groks, which produced the expected outcome.

Regards,

Landong

system · February 23, 2022, 2:09pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash 7 GROK Filter plugin 'break_on_match' appears to be broken Logstash	14	4957	May 20, 2019
Grok parse failures Logstash	4	286	December 29, 2020
Error : "tags" => [ [0] "_grokparsefailure" ]..Grok filter error Logstash	22	2548	September 18, 2019
After Updating Logstash to 7.7 from 7.6 regex isn't working the same Logstash	10	716	June 23, 2020
Grok pattern matching in debugger but not on logstash Logstash	4	250	July 6, 2022

Broken Grok filter since V7.10.0

Related topics