Different pettern syntax of grok between ingest node and logstash

ginger · November 21, 2016, 12:53pm

Hi.

When I use ingest node to parse data, I found a different pattern syntax of grok between ingest node and logstash. For example, when I use ingest node to parse apache access log, the pattern is:

%{IPORHOST:clientip} %{USER:ident} %{USER:auth} \\[%{HTTPDATE:timestamp}\\] "%{WORD:verb} %{DATA:request} HTTP/%{NUMBER:httpversion}" %{NUMBER:response:int} (?:-|%{NUMBER:bytes:int}) %{QS:referrer} %{QS:agent}

while when I use logstash to parse the same log, the pattern is:

%{IPORHOST:clientip} %{USER:ident} %{USER:auth} \[%{HTTPDATE:timestamp}\] "%{WORD:verb} %{DATA:request} HTTP/%{NUMBER:httpversion}" %{NUMBER:response:int} (?:-|%{NUMBER:bytes:int}) %{QS:referrer} %{QS:agent}

The difference is between "\\[" and "\[".

Why not keep consistent syntax?

mainec · November 22, 2016, 10:26am

This looks like a Java escaping difference to me. Maybe @talevy knows more about this?

ginger · November 25, 2016, 3:12am

Any one knows more about this?

talevy · December 14, 2016, 9:17pm

@mainec is right, this is due to the extra escaping that takes place

system · January 11, 2017, 9:17pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.