Hello everyone,
I am new to GROK patterns, and I am currently struggling with implementing a pipeline rule and using GROK to extract data to fields.
I am using a grok debugger, and in the debugger my GROK pattern works fine. When I try to import it in my pipeline rule it fails with the following error:
Errors: mismatched input ‘“,\n value: to_string($message.”’ expecting {‘)’, ‘[’, ‘,’, ‘.’, ‘+’, ‘-’, ‘*’, ‘/’, ‘%’, ‘<=’, ‘>=’, ‘>’, ‘<’, ‘==’, ‘!=’, And, Or} Unknown function IN in line 9 pos 141 Unknown function record_type in line 9 pos 151 mismatched input ‘:’ expecting {‘)’, ‘[’, ‘,’, ‘.’, ‘+’, ‘-’, ‘*’, ‘/’, ‘%’, ‘<=’, ‘>=’, ‘>’, ‘<’, ‘==’, ‘!=’, And, Or} token recognition error at: ‘\’ token recognition error at: ‘"%{DATA:date} %{TIME:time} client %{GREEDYDATA} %{IPV4:source_ip}#%{NUMBER:source_port} \(’ mismatched input ‘:’ expecting {‘)’, ‘[’, ‘,’, ‘.’, ‘+’, ‘-’, ‘*’, ‘/’, ‘%’, ‘<=’, ‘>=’, ‘>’, ‘<’, ‘==’, ‘!=’, And, Or} mismatched input ‘:’ expecting {‘)’, ‘[’, ‘,’, ‘.’, ‘+’, ‘-’, ‘*’, ‘/’, ‘%’, ‘<=’, ‘>=’, ‘>’, ‘<’, ‘==’, ‘!=’, And, Or} Unknown function DATA in line 9 pos 129 Expected type String for argument pattern but found Map in call to function grok in line 8 pos 34 mismatched input ‘:’ expecting {‘)’, ‘[’, ‘,’, ‘.’, ‘+’, ‘-’, ‘*’, ‘/’, ‘%’, ‘<=’, ‘>=’, ‘>’, ‘<’, ‘==’, ‘!=’, And, Or} extraneous input ‘%’ expecting {‘(’, ‘[’, ‘{’, ‘+’, ‘-’, Not, ‘$message’, Boolean, Integer, Float, Char, String, Identifier} Unknown function query in line 9 pos 119 mismatched input ‘’ expecting {‘)’, ‘[’, ‘,’, ‘.’, ‘+’, ‘-’, ‘*’, ‘/’, ‘%’, ‘<=’, ‘>=’, ‘>’, ‘<’, ‘==’, ‘!=’, And, Or} Undeclared variable name_server in line 9 pos 193 Unknown function lookup_info in line 9 pos 171 mismatched input ‘}’ expecting {‘)’, ‘[’, ‘,’, ‘.’, ‘+’, ‘-’, ‘*’, ‘/’, ‘%’, ‘<=’, ‘>=’, ‘>’, ‘<’, ‘==’, ‘!=’, And, Or} mismatched input ‘:’ expecting {‘)’, ‘[’, ‘,’, ‘.’, ‘+’, ‘-’, ‘*’, ‘/’, ‘%’, ‘<=’, ‘>=’, ‘>’, ‘<’, ‘==’, ‘!=’, And, Or} token recognition error at: ‘\’ mismatched input ‘}’ expecting {‘)’, ‘[’, ‘,’, ‘.’, ‘+’, ‘-’, ‘*’, ‘/’, ‘%’, ‘<=’, ‘>=’, ‘>’, ‘<’, ‘==’, ‘!=’, And, Or} Unknown function query in line 9 pos 134 Unknown function DATA in line 9 pos 146 token recognition error at: ‘")\n);\nset_fields(\n fields: gl2_fragment_grok_results\n);\nend’ extraneous input ‘%’ expecting {‘(’, ‘)’, ‘[’, ‘{’, ‘+’, ‘-’, Not, ‘$message’, Boolean, Integer, Float, Char, String, Identifier} token recognition error at: ‘\’ extraneous input ‘}’ expecting ‘(’ Unknown function message in line 10 pos 29 token recognition error at: ‘\’ token recognition error at: ‘\’ Missing required parameter value of type String in call to function grok in line 8 pos 34 mismatched input ‘%’ expecting {‘)’, ‘[’, ‘,’, ‘.’, ‘+’, ‘-’, ‘*’, ‘/’, ‘%’, ‘<=’, ‘>=’, ‘>’, ‘<’, ‘==’, ‘!=’, And, Or} mismatched input ‘}’ expecting ‘:’ Unknown function DATA in line 9 pos 166
Source data message example:
29-Jul-2025 20:38:45.533 client @0x7f8ec40733c8 10.1.10.1#60485 (80.207.58.194.in-addr.arpa): query: 80.207.58.194.in-addr.arpa IN PTR + (10.1.10.2)
GROK Pattern:
%{DATA:date} %{TIME:time} client %{GREEDYDATA} %{IPV4:source_ip}#%{NUMBER:source_port} (%{GREEDYDATA}): query: %{DATA:query} IN %{DATA:record_type} %{DATA:lookup_info} (%{DATA:name_server})
I have also a WHEN condition on the rule if that matters:
Check if string value in ‘message’ contains ‘query’
Any help would be much appreciated, thanks!