Oniguruma patern will not work in grok debuger

Marta_Zagrajek · December 27, 2019, 12:59pm

I have a filters like that:

filter {
  grok {
      match => { "message" => '%{TIME:timestamp} (\[)?(%{DATA:logger})?(\])? \{%{DATA:thread}\} %{LOGLEVEL:level} : (?<problem>(.|\r|\n)*)' }
      remove_field => ["message"]
      }
  grok {
      match => { "problem" => ''(?<exception>java(.*)Exception).*\z" }
  }
}

And in regex101 it is working and group exception is what I wanted to achieve.

Sample of problem field:

Problem with cache (get from DB):\njava.lang.NullPointerException: null\n09:56:49.712 pl.com.agora.api.client.rest.invocation.FutureCallbacksSupport {HttpClient@2052321524-scheduler} ERROR : Uri invocation failure callback failed. Invocation : AbstractUriInvocation [successful=false

and so on.
Why it is still telling that exception is the same as problem instead of only: java.lang.NullPointerException

andres-perez · December 27, 2019, 3:12pm

Hi
This pattern (?<exception>java(.*)Exception).*\z works as you expected on https://grokdebug.herokuapp.com/ with your problem field contents so I presume it may be due to syntax.

Is your grok filter a verbatim copy of the actual configuration?
Then, the repeated single quotes '' instead of double quotes " are wrong and it may be cause of this issue.

Marta_Zagrajek · December 30, 2019, 6:29am

Thank you, but I'm still getting no match even at herokuapp

Marta_Zagrajek · December 30, 2019, 11:29am

I have checked again in grok debugger and it's working!

system · January 27, 2020, 11:29am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.