Grokparsing UUID


#1

We are trying to extract information from logs depending on the UUID of the command that was used. At the moment our grok match looks like this.

match => {"[doc][Message][0]" => "(?<GrokParse>[A-Fa-f0-9]{8}-(?:[A-Fa-f0-9]{4}-){3}[A-Fa-f0-9]{12})"}

This works on almost all UUIDs and we don't understand why these exceptions happen.

This UUID parses without issues.

e64a7b32-a7e1-45da-85bf-b92685a183f7

This UUID fails and gives a _grokparsefailure tag

ac53e624-3a3a-45ae-a75c-6311b8281189

We can not see why it would fail, neither contain any letter after F, no special characters, both follow the 8-4-4-4-12 pattern with both letters and numbers in each segment.

Right now all we can think of is that the failing UUID only has one letter in the last segment or that 4th segment begins with a letter in the failing one.

Anything obvious or less obvious we missed?


(Magnus B├Ąck) #2

Are you sure it's this particular grok filter that fails? Can you create a minimal example that exhibits the problem?


#3

It was an earlier grok match that looked for something we assumed was in every log when it was missing in a few out of a million.

Thank you for your suggestion! It made us backtrack and led us to the faulty line.


(system) #4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.