Grokparsing UUID

No_Executable · May 14, 2018, 9:05am

We are trying to extract information from logs depending on the UUID of the command that was used. At the moment our grok match looks like this.

match => {"[doc][Message][0]" => "(?<GrokParse>[A-Fa-f0-9]{8}-(?:[A-Fa-f0-9]{4}-){3}[A-Fa-f0-9]{12})"}

This works on almost all UUIDs and we don't understand why these exceptions happen.

This UUID parses without issues.

e64a7b32-a7e1-45da-85bf-b92685a183f7

This UUID fails and gives a _grokparsefailure tag

ac53e624-3a3a-45ae-a75c-6311b8281189

We can not see why it would fail, neither contain any letter after F, no special characters, both follow the 8-4-4-4-12 pattern with both letters and numbers in each segment.

Right now all we can think of is that the failing UUID only has one letter in the last segment or that 4th segment begins with a letter in the failing one.

Anything obvious or less obvious we missed?

magnusbaeck · May 14, 2018, 10:21am

Are you sure it's this particular grok filter that fails? Can you create a minimal example that exhibits the problem?

No_Executable · May 14, 2018, 11:20am

It was an earlier grok match that looked for something we assumed was in every log when it was missing in a few out of a million.

Thank you for your suggestion! It made us backtrack and led us to the faulty line.

system · June 11, 2018, 11:20am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.