Ingest Pipeline Grok filter ignores first pattern and matches second pattern when second pattern exists

Ingest Pipeline GROK filter:

  {
    "grok": {
      "field": "message",
      "patterns": [
        "\\s*Workstation Name:(?!\\t-)\\s*%{DATA:winlog.event_data.WorkstationName}\\n\\t.*",
        "%{GREEDYDATA:message}"
      ],
      "trace_match": true,
      "ignore_missing": true,
      "if": "ctx?.winlog?.event_data?.WorkstationName == null"
    }
  }

When the second pattern is added to the GROK filter in the Ingest Pipeline, the first pattern is ignored and the second pattern is matched. When I remove the second pattern, though, the first pattern is matched. Any idea why this is happening?

Message that's being matched:

An account was successfully logged on.

Subject:
	Security ID:		S-1-0-0
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Logon Type:			3

Impersonation Level:		Impersonation

New Logon:
	Security ID:		S-1-5-18
	Account Name:		ThisIsatest
	Account Domain:		Company
	Logon ID:		HexStuff
	Logon GUID:		{GUID}

Process Information:
	Process ID:		0x0
	Process Name:		-

Network Information:
	Workstation Name:	Test
	Source Network Address:	***********
	Source Port:		63218

Detailed Authentication Information:
	Logon Process:		Kerberos
	Authentication Package:	Kerberos
	Transited Services:	-
	Package Name (NTLM only):	-
	Key Length:		0

This event is generated when a logon session is created. It is generated on the computer that was accessed```

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.