Grok multiple pattern parsing issue

(Zoulja) #1

I’m trying to create grok pattern to match $upstream_response_time Nginx variable.
It can be float if single upstream is used
It can be 2 floats if 2 upstreams are used
“2.123, 1,32”
Or it can be dash, if request was proceeded without upstream

So far I came to the following regexp:
“(?<upstream_response_times>(%{NUMBER}|-)(, (%{NUMBER}|-)))"
"(?<upstream_response_times>(\d+.\d+|-)(, (\d+.\d+|-))

This pattern works in online regexp verification tools.
But it seems Graylog engine behaves in different way, so I get


We were not able to run the grok extraction because of the following error: 
named capturing group is missing trailing '>' near index 2286

Please advise how to deal with it

(Jan Doberstein) #2

you can find the detailed answer in this community.

In addition you mix GROK and Regex, what is not bad, but will make it more complicated. Why not using either or?

Just because if you had used plain regex, the problem wouldn’t be given and if you’d used plain GROK the problem wouldn’t be given too.

(Zoulja) #3

you can find the detailed answer in this community.

I could find only this topic by related keywords:

It has no solution, so I’m a little bit confused.

In addition you mix GROK and Regex

If you’re talking about named group - I was fighting this for some time but couldn’t find another way for such complicated pattern.
Any advice will be much appreciated.

(Jan Doberstein) #4

The main problem is this issue:

What is our issue in this:

(Zoulja) #5

Ah, now I’ve got it, thanks a lot, @jan!

So as for now I will use camelNotation, but is there some straight way to write down such patterns using pure grok?

(system) closed #6

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.