Extractor OR with same field parsing issue

alias · December 13, 2018, 1:42pm

Hi,

If I use a grok pattern to extract this, only one pattern match on bar value.
To simplify my usecase, I use an example with only two messages with two field.

I’ve two messages:

source foo in bar
source foo as bar1

Grok pattern:

source %{BASE10NUM:fieldA}(( in %{NOTSPACE:fieldB})|( as %{NOTSPACE:fieldB}))

I’ve for the first message:
fieldA - foo
fieldB - bar

For the second:
fieldA - foo

Indeed, for the second, le “extractor worker” doesn’t parse the second fieldB item …
Now, if I try to reverse the condition as:

Grok pattern:

source %{BASE10NUM:fieldA}(( as %{NOTSPACE:fieldB})|( in %{NOTSPACE:fieldB}))

I’ve for the first message:
fieldA - foo

For the second:
fieldA - foo
fieldB - bar1

Information:

I know that with this example, the solution is source %{BASE10NUM:fieldA} (as|in) %{NOTSPACE:fieldB}. But my goal was to reproduce my output with more complex logs

Do you have an idea ?

jan · December 13, 2018, 1:59pm

please see this issue: https://github.com/Graylog2/graylog2-server/issues/4773

alias · December 13, 2018, 2:02pm

Oh, sorry I not seen it …

Thanks … waiting for the 3.0 stable, I use several extractors

system · December 27, 2018, 2:02pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Multiple Grok Patterns - We were not able to run the grok extraction. Please check your parameters Graylog Central (peer support)	7	1156	December 23, 2022
Extractor doesn't appears in field Graylog Central (peer support)	2	1035	June 6, 2019
Difficulties to apply extractors using regex Graylog Central (peer support) key_value	47	2484	April 22, 2022
Extractor help needed Graylog Central (peer support)	2	814	March 15, 2021
Grok Pattern ExtractorNot Extracting Graylog Central (peer support)	7	1104	March 14, 2019

Extractor OR with same field parsing issue

Related topics