The grok filter what is written is as follows:
grok {
match => { "correlationid:" => "(?\w{8}-\w{4}-\w{4}-\w{4}-\w{12})?" }
}
For the below text it is not showing the output:
"correlationid:" => "1000 | callhalf-1388133:0 | 3886c145-b301-4914-b4a4-dab2d5614aca"
But when I try the above filter without ? its working , when I tried after removiing the ?
grok {
match => { "correlationid:" => "(?\w{8}-\w{4}-\w{4}-\w{4}-\w{12})" }
}
Please make sure to format your configuration snippets as preformatted text (e.g. using the </> toolbar button) so we can see exactly what configuration you have.
grok {
match => { "correlationid:" => "(?\w{8}-\w{4}-\w{4}-\w{4}-\w{12})?" }
}
For the below text it is not showing the output:
"correlationid:" => "1000 | callhalf-1388133:0 | 3886c145-b301-4914-b4a4-dab2d5614aca"
But when I try the above filter without ? its working
grok {
match => { "correlationid:" => "(?\w{8}-\w{4}-\w{4}-\w{4}-\w{12})" }
}
I'm still confused. What's the point of the question mark at the opening of the parenthesis? And what's the overall point of the grok filter since you're not capturing any fields from it?
It seems the regexp engine chooses the simplest possible solution in this case, which is no match. Appending $ to the end of the expression fixes this problem. I'm not sure why.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.