Multiple custom grok patterns not matching, but they successfully match alone?

kmiklas · July 31, 2019, 4:18pm

Grok matches single custom patterns, but does match when custom patterns are combined.

Complete, working, an verifiable example

Sample data:

OK 05/20 20:12:10:067 ABC_02~~DE_02 FGH_IJK jsmith _A0011

Custom patterns:

MMDD [0-1][0-9]/[0-3][0-9]
THREAD _W\w+

They work separately; specifically, this pattern works by itself:

%{MMDD:mmdd} 

// Result
{
  "mmdd": [
    [
      "05/20"
    ]
  ]
}

... and this pattern works by itself:

%{THREAD:thread}

// Result
{
  "thread": [
    [
      "_A0011"
    ]
  ]
}

..but together, they fail:

%{MMDD:mmdd} %{THREAD:keyword}

No Matches

Puzzling. Tyvm Keith :^)

Note that I tried the solution presented in this post, but to no avail:

Also testing here:
https://grokdebug.herokuapp.com/

Regex Resource:

John_Schulz · August 5, 2019, 5:51pm

Hello, Keith,

Thanks for providing the sample data & regexes. That's very helpful.

TL;DR try something like %{MMDD:mmdd}.+%{THREAD:keyword} with these patterns

MMDD [0-1][0-9]/[0-3][0-9]
THREAD _\w+

note: I think the THREAD regex had an extra character and should should be THREAD _\w+ instead of THREAD _W\w+

The reason they worked individually but not together is because %{MMDD:mmdd} %{THREAD:keyword} translates to "find MMDD regex, followed by a single space character , followed by the THREAD regex"

Look at the results if we change the input to something like that (date SPACE id)

If we change the regex to account for the other characters which might be in between, it works as expected

%{MMDD:mmdd}.+%{THREAD:keyword} is "MMDD, then any number of any character (except newline), then THREAD".

There are options besides .+ to put in between, but you'll need something besides a single literal space character.

I hope that helps. Please let us know if we can help further.

kmiklas · August 6, 2019, 1:28pm

Thanks for response, John.

I'm seasoned Dev, but a n00b to Grok.

I was under the impression that each space-separated grok filter was a separate little regex expression, and that the entire line was separately scanned for each.

Thanks for setting me straight.

Sincerely,
Keith

system · September 3, 2019, 1:38pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.