Grok filter question: don't understand %{COMBINEDAPACHELOG}+

I found a very good grok filter tutorial here. Every concept is well explained except this apache grok filter configrathton.

grok {
   match => [
         "message" , "%{COMBINEDAPACHELOG}+%{GREEDYDATA:extra_fields}",
         "message" , "%{COMMONAPACHELOG}+%{GREEDYDATA:extra_fields}"
   overwrite => [ "message" ]

what is the objectif of "+" after "%{}"?

Truly, you have groked grok! The + is completely useless. The pattern says to match one or more COMBINEDAPACHELOG patterns, followed by other random stuff. But a line from a web server log is going to have exactly one COMBINEDAPACHELOG pattern, possibly followed by extra fields. One line is never going to look like %{COMBINEDAPACHELOG}%{COMBINEDAPACHELOG}%{GREEDYDATA:extra_fields}.

So it works, since one is matched by "one or more", but it does not add any value, since the "or more" part will never be matched.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.