Regex \d or \w not working any longer in 7.1.1, but in 6.6.2: unmatched range specifier in char-class:

asp · June 18, 2019, 10:32am

Hi,

I am getting following filter in LS 7.1.1:

[2019-06-18T09:31:39,304][ERROR][logstash.javapipeline    ] Pipeline aborted due to error {:pipeline_id=>"auskunft_json", :exception=>#<RegexpError: unmatched range specifier in char-class: /^\[(?<FAST_TIMESTAMP:logTime>[\d-: ,]{23})\] (?<GREEDYDATA:myMessage>.*)/m>, :backtrace=>["org/jruby/RubyRegexp.java:940:in `initialize'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/jls-grok-0.11.5/lib/grok-pure.rb:127:in `compile'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-grok-4.0.4/lib/logstash/filters/grok.rb:281:in `block in register'", "org/jruby/RubyArray.java:1792:in `each'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-grok-4.0.4/lib/logstash/filters/grok.rb:275:in `block in register'", "org/jruby/RubyHash.java:1419:in `each'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-grok-4.0.4/lib/logstash/filters/grok.rb:270:in `register'", "org/logstash/config/ir/compiler/AbstractFilterDelegatorExt.java:56:in `register'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:191:in `block in register_plugins'", "org/jruby/RubyArray.java:1792:in `each'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:190:in `register_plugins'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:446:in `maybe_setup_out_plugins'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:203:in `start_workers'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:145:in `run'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:104:in `block in start'"], :thread=>"#<Thread:0x16cbfc4c run>"}
[2019-06-18T09:31:39,319][ERROR][logstash.agent           ] Failed to execute action {:id=>:auskunft_json, :action_type=>LogStash::ConvergeResult::FailedAction, :message=>"Could not execute action: PipelineAction::Create<auskunft_json>, action_result: false", :backtrace=>nil}

The filter is running without this issue in LS 6.6.2.

Here is my filter which causes the trouble:

grok
    {
            match => ['message','^\[%{FAST_TIMESTAMP:logTime}\] %{GREEDYDATA:myMessage}']
            patterns_dir => ['${GLOBAL_GROK_PATTERN_DIR}']
    }

I hunted it down to the regex behind FAST_TIMESTAMP:

# causing issue
FAST_TIMESTAMP [\d-: ,]{23}

# causing issue
FAST_TIMESTAMP [\w-: ,]{23}

# fixing issue
FAST_TIMESTAMP [[0-9]-: ,]{23}

Seems as if regex "symbols" for word, number, etc. are not working any longer. I didn't find a corresponding breaking change in the documentation.

I haven't tried if "symbols" like \s, \S, etc. are still working.
Do I really have to alter all my grok parsings where such symbols are used, or is there a way to enable them again?

Thanks, Andreas

Badger · June 18, 2019, 1:55pm

In a character group (i.e. inside [ and ]) a - expresses a range. So that will match everything in the range of characters from \d to :, space or comma. I suspect you mean to use

[\d\-: ,]{23}

asp · June 20, 2019, 7:37am

Great, thanks for your reply. That's it. Seems that new logstash is enforcing the rules more than older versions, but after your hint it works.

system · July 18, 2019, 7:37am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Grok fails on a valid regex Logstash	2	757	June 6, 2020
After Updating Logstash to 7.7 from 7.6 regex isn't working the same Logstash	10	716	June 23, 2020
Seeing Grok regexp exception "incompatible encoding regexp match (UTF-8 regexp with ASCII-8BIT string)" Logstash	11	2166	May 15, 2018
Regex in mutate filter Logstash	4	1671	June 15, 2020
Squid pipeline returns 'RegexpError: unmatched close parenthesis' Logstash	1	524	June 14, 2019

Regex \d or \w not working any longer in 7.1.1, but in 6.6.2: unmatched range specifier in char-class:

Related topics