Unexpected result for "I Love Burmese Cats example" in documentation

kikecueva · January 24, 2017, 10:01pm

FIrst of all, there is an not-answered post with this same issue but it is already closed.

I'm testing the "I Love burmese cats!" example from grok processor documentation.

This request:

POST _ingest/pipeline/_simulate
{
  "pipeline": {
  "description" : "parse multiple patterns",
  "processors": [
    {
      "grok": {
        "field": "message",
        "patterns": ["%{FAVORITE_DOG:pet}", "%{FAVORITE_CAT:pet}"],
        "pattern_definitions" : {
          "FAVORITE_DOG" : "beagle",
          "FAVORITE_CAT" : "burmese"
        },
        "trace_match": true
      }
    }
  ]
},
"docs":[
  {
    "_source": {
      "message": "I love burmese cats!"
    }
  }
  ]
}

Is showing this output and is working as expected:

{
  "docs": [
    {
      "doc": {
        "_id": "_id",
        "_type": "_type",
        "_index": "_index",
        "_source": {
          "message": "burmese",
          "pet": "burmese"
        },
        "_ingest": {
          "_grok_match_index": "1",
          "timestamp": "2017-01-24T21:33:06.192+0000"
        }
      }
    }
  ]
}

But if I test the other case (when "message": "I love beagle cats!"):

POST _ingest/pipeline/_simulate
{
  "pipeline": {
  "description" : "parse multiple patterns",
  "processors": [
    {
      "grok": {
        "field": "message",
        "patterns": ["%{FAVORITE_DOG:pet}", "%{FAVORITE_CAT:pet}"],
        "pattern_definitions" : {
          "FAVORITE_DOG" : "beagle",
          "FAVORITE_CAT" : "burmese"
        },
        "trace_match": true
      }
    }
  ]
},
"docs":[
  {
    "_source": {
      "message": "I love beagle cats!"
    }
  }
  ]
}

The output is not the expected, "pet" field is not being pupulated but "_grok_match_index" is saying that the message matched with the 1st pattern:

{
  "docs": [
    {
      "doc": {
        "_id": "_id",
        "_type": "_type",
        "_index": "_index",
        "_source": {
          "message": "I love beagle cats!"
        },
        "_ingest": {
          "_grok_match_index": "0",
          "timestamp": "2017-01-24T21:58:10.042+0000"
        }
      }
    }
  ]
}

What am I doing wrong? Is this a bug?

BTW I'm using ELK 5.1

Thanks in advance!

kikecueva · January 24, 2017, 10:03pm

If I use different field names (pet1 and pet2) is working fine:

POST _ingest/pipeline/_simulate
{
  "pipeline": {
  "description" : "parse multiple patterns",
  "processors": [
    {
      "grok": {
        "field": "message",
        "patterns": ["%{FAVORITE_DOG:pet1}", "%{FAVORITE_CAT:pet2}"],
        "pattern_definitions" : {
          "FAVORITE_DOG" : "beagle",
          "FAVORITE_CAT" : "burmese"
        },
        "trace_match": true
      }
    }
  ]
},
"docs":[
  {
    "_source": {
      "message": "I love beagle cats!"
    }
  },
  {
    "_source": {
      "message": "I love burmese cats!"
    }
  }
  ]
}

Output:

{
  "docs": [
    {
      "doc": {
        "_id": "_id",
        "_type": "_type",
        "_index": "_index",
        "_source": {
          "message": "I love beagle cats!",
          "pet1": "beagle"
        },
        "_ingest": {
          "_grok_match_index": "0",
          "timestamp": "2017-01-24T22:02:43.181+0000"
        }
      }
    },
    {
      "doc": {
        "_id": "_id",
        "_type": "_type",
        "_index": "_index",
        "_source": {
          "message": "I love burmese cats!",
          "pet2": "burmese"
        },
        "_ingest": {
          "_grok_match_index": "1",
          "timestamp": "2017-01-24T22:02:43.181+0000"
        }
      }
    }
  ]
}

But then what if I want the value in the same pet field. Is it possible? How can use the same pet field?

Thanks

system · February 21, 2017, 10:04pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.