Grok Function Always Returns {} in Pipeline

Graylog Central (peer support)
1

Hello

It seems grok function doesn’t work in Graylog 2.2.2.

Graylog Version: graylog2/server:2.2.2-1
Elasticsearch Version: 2.4.4
MongoDB Version: 3.4
Clean installation with default’All messages’ stream, single pipeline, default stage, single rule:

rule "r1 desc"
when
  has_field("message")
then
 let matches = grok(pattern: "%{GREEDYDATA:x}", value: to_string($message.message));
 set_fields(matches);
 
 set_field("grok_matches", to_string(matches));
 set_field("y", to_string($message.message));
 set_field("z", 222); 
end

Simulate:

  • Stream: All messages
  • Message Codec: Raw String
  • Raw message: 157.55.39.201 2017-03-10T03:19:43+02:00 “xxx.xxx” “GET /xxx/xxx-xxx/ HTTP/1.1” 200 6418 “Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)”
  • Press “Load Message”

Added fields:

  • grok_matches: {}
  • y: 157.55.39.201 2017-03-10T03:19:43+02:00 “xxx.xxx” “GET /xxx/xxx-xxx/ HTTP/1.1” 200 6418 “Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)”
  • z: 222

‘x’ field is absent, ‘grok_matches’ field is {}.

How to fix the issue?

Thank you

2

For reference:

3

How are you importing the messages for which the Grok extraction fails?
Which character set are these messages using?

4

Turns out this is a bug in Graylog and it will be fixed in the next bug-fix release.

The workaround for current versions is to restart Graylog once after its initial start, so that the internal Grok pattern cache is correctly reloaded.

1 Like