Different pettern syntax of grok between ingest node and logstash


(jiangguoqiang) #1

Hi.

When I use ingest node to parse data, I found a different pattern syntax of grok between ingest node and logstash. For example, when I use ingest node to parse apache access log, the pattern is:

%{IPORHOST:clientip} %{USER:ident} %{USER:auth} \\[%{HTTPDATE:timestamp}\\] "%{WORD:verb} %{DATA:request} HTTP/%{NUMBER:httpversion}" %{NUMBER:response:int} (?:-|%{NUMBER:bytes:int}) %{QS:referrer} %{QS:agent}

while when I use logstash to parse the same log, the pattern is:

%{IPORHOST:clientip} %{USER:ident} %{USER:auth} \[%{HTTPDATE:timestamp}\] "%{WORD:verb} %{DATA:request} HTTP/%{NUMBER:httpversion}" %{NUMBER:response:int} (?:-|%{NUMBER:bytes:int}) %{QS:referrer} %{QS:agent}

The difference is between "\\[" and "\[".

Why not keep consistent syntax?


(Isabel Drost-Fromm) #2

This looks like a Java escaping difference to me. Maybe @talevy knows more about this?


(jiangguoqiang) #3

Any one knows more about this?


(Tal Levy) #4

@mainec is right, this is due to the extra escaping that takes place


(system) #5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.