Grok multiple matches reports failures in an unexpected way

Sous_Lesquels · July 9, 2019, 4:16pm

I have this filter:

grok {
  break_on_match => false
  match => {
    'message' => [
      'a(?<a>\d+)',
      'b(?<b>\d+)'
    ]
  }
}

and this input file:

a11
b21
a31 b32

When run, this parses correctly, i.e. I get three events:

{a => 11}
{b => 21}
{a => 31, b => 32}

as expected. However, I also get tags => ["_grokparsefailure"] on the first event. Why only on the first (and in particular not on the second)?

If I modify the above to this:

grok {
  break_on_match => false
  match => {
    'message' => [
      'a(?<a>\d+)',
      'b(?<b>\d+)',
      'c(?<c>\d+)'
    ]
  }
}

then I get tags => ["_grokparsefailure"] on all three events.

My expectation is that I'd get _grokparsefailure only when all of the supplied matches fail. Is my expectation incorrect and is there a way to make grok work so that it reports failure only if all matches fail?

Badger · July 9, 2019, 4:19pm

That is a known issue.

Sous_Lesquels · July 9, 2019, 4:23pm

@Badger Ah... No workarounds at the moment?

Badger · July 9, 2019, 4:24pm

None that I know of.

Sous_Lesquels · July 9, 2019, 4:25pm

Cool ty @Badger

system · August 6, 2019, 4:28pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.