Hi.
When use ingest node, I find unexpected result for grok processor with multiple patterns.
The following works right:
POST _ingest/pipeline/_simulate
{
"pipeline": {
"description" : "parse multiple patterns",
"processors": [
{
"grok": {
"field": "message",
"patterns": ["%{FAVORITE_DOG:pet}", "%{FAVORITE_CAT:pet}"],
"pattern_definitions" : {
"FAVORITE_DOG" : "beagle",
"FAVORITE_CAT" : "burmese"
}
}
}
]
},
"docs":[
{
"_source": {
"message": "I love burmese cats!"
}
}
]
}
But if I replace "I love burmese cats!" with "I love beagle cats!", the result is unexpected:
{
"docs": [
{
"doc": {
"_type": "_type",
"_index": "_index",
"_id": "_id",
"_source": {
"message": "I love beagle dogs!"
},
"_ingest": {
"_grok_match_index": "0",
"timestamp": "2016-11-25T04:48:51.607+0000"
}
}
}
]
}
There is no pet field in _source!