Different pettern syntax of grok between ingest node and logstash

Hi.

When I use ingest node to parse data, I found a different pattern syntax of grok between ingest node and logstash. For example, when I use ingest node to parse apache access log, the pattern is:

%{IPORHOST:clientip} %{USER:ident} %{USER:auth} \\[%{HTTPDATE:timestamp}\\] "%{WORD:verb} %{DATA:request} HTTP/%{NUMBER:httpversion}" %{NUMBER:response:int} (?:-|%{NUMBER:bytes:int}) %{QS:referrer} %{QS:agent}

while when I use logstash to parse the same log, the pattern is:

%{IPORHOST:clientip} %{USER:ident} %{USER:auth} \[%{HTTPDATE:timestamp}\] "%{WORD:verb} %{DATA:request} HTTP/%{NUMBER:httpversion}" %{NUMBER:response:int} (?:-|%{NUMBER:bytes:int}) %{QS:referrer} %{QS:agent}

The difference is between "\\[" and "\[".

Why not keep consistent syntax?

This looks like a Java escaping difference to me. Maybe @talevy knows more about this?

1 Like

Any one knows more about this?

@mainec is right, this is due to the extra escaping that takes place

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.