Meaning of '+' in a grok? Recreating grok (secondary)

CDR · June 26, 2017, 10:26pm

I inherited a configuration file that I need to build upon to make work for more logs. Currently when I run the stack I get errors

17:23:19.046 [[main]>worker11] WARN logstash.filters.grok - Timeout executing grok '%{DATESTAMP:date} %{DATA:hostName} (%{DATA:processName})?\[%{NUMBER:processID}\]: +%{DATA:host2} +(%{DATA:user})? +%{DATA:action} +%{DATESTAMP:date2} +%{DATA:first} +%{DATA:second} +%{DATA:third} +%{DATA:status} +%{NUMBER:number}' against field 'message' with value '09/26/16 12:10:17 bccdac1 alarm_select[19092]: bccdac1 e05543 AUTO-DEL:ON ACK 09/26/16 12:10:17 U2AGC130 AGC-UNITS Unit Status_ Colstrip Unit Connect Status Change CLOSED 2'!

I read in a previous post that multiple uses of DATA can slow down logstash and cause these errors. This is my grok pattern:

%{DATESTAMP:date} %{DATA:hostName} (%{DATA:processName})?\[%{NUMBER:processID}\]: +%{DATA:host2} +(%{DATA:user})? +%{DATA:action} +%{DATESTAMP:date2} +%{DATA:first} +%{DATA:second} +%{DATA:third} +%{DATA:status} +%{NUMBER:number}

I need to recreate this grok so that it does not produce this error anymore. I am wondering what the + signs mean/do? Also, any tips on recreating this grok more efficiently?

Thanks!

magnusbaeck · June 27, 2017, 5:44am

I am wondering what the + signs mean/do?

"One or more of the previous token."

Also, any tips on recreating this grok more efficiently?

The problem is probably the excessive use of DATA. In most cases you should be able to replace it with NOTSPACE, i.e. "any non-whitespace character". That's way more efficient.

system · July 25, 2017, 5:45am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.