Pipeline rule: Escaping brackets in grok template

babolivier · December 27, 2017, 2:54pm

Hey there,

I’m working on parsing some HTTP logs from HAproxy. We format them in a special way for internal needs. Here’s what one line would look like:

10.155.26.5:55647 [id=D9B6AE8B:D95F_0AFFFF6D:01BB_5A43A5B9_F626A:37A0] [27/Dec/2017:13:52:57.470] frontend backend/server 0/0/0/204/204 200 2877 - - ---- 3/3/0/1/0 0/0 {host - user_agent - - -} {- private, -} "GET / HTTP/1.1"

To parse it, I’ve set up a pipeline with one rule:

rule "ha-gozy"
when
    // some checks on "source" and "application_name" fields
then
    let message_field = to_string($message.message);
    let pattern = "\\[id=%{NOTSPACE:req_id}\\] \\[%{DATE:req_date}:%{TIME:req_time}\\] %{NOTSPACE:frontend} %{NOTSPACE:backend}/%{NOTSPACE:server} %{NOTSPACE} %{NUMBER:status_code} \{%{NOTSPACE:hostname} %{NOTSPACE} %{NOTSPACE:user_agent} %{DATA}\} %{DATA} \"%{NOTSPACE:method} %{NOTSPACE:path} %{NOTSPACE:http_ver}\"";
    let fields = grok(to_string(pattern), message_field);
    set_fields(fields);
end

Notice the escaping of the curly brackets in pattern. I need to escape them because if I don’t, Grok will try to interpret them as a block to replace, and give me a nasty error.

However, I don’t seem to be able to escape them, because when I do so the editor gives me a bunch of errors:

Unknown function DATA in line 7 pos 253
no viable alternative at input '%'
token recognition error at: '\'
Unknown function DATA in line 7 pos 243
mismatched input '}' expecting '('
Unknown function NOTSPACE in line 7 pos 187
Unknown function NOTSPACE in line 7 pos 220
token recognition error at: '"\\[id=%{NOTSPACE:req_id}\\] \\[%{DATE:req_date}:%{TIME:req_time}\\] %{NOTSPACE:frontend} %{NOTSPACE:backend}\\/%{NOTSPACE:server} %{NOTSPACE} %{NUMBER:status_code} \{'
mismatched input ':' expecting '('
Unknown function hostname in line 7 pos 196
Unknown function NOTSPACE in line 7 pos 208
Unknown function user_agent in line 7 pos 229

and hitting “Save” doesn’t save the rule. FTR, the same happens when you try to escape square brackets.

Judging from the errors, it seems to me that \{ appears to be closing the string (with \} reopening it) or something like that. And I’m not sure I understand the reason behind it.

Is there something I missed, a better way of escaping brackets that doesn’t mess my string up?

Graylog’s version is v2.3.0+81f8228 fwiw.

Thanks!

Edit: I just realised that this was happening everytime I append \ and a character, with a few exception.

system · January 10, 2018, 2:54pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Problems parsing pipe delimited log file with pipeline rules Graylog Central (peer support) pipeline-rules , grok-patternspl	6	1340	January 24, 2022
Solved: Problem with pipeline rule and grok pattern Graylog Central (peer support) pipeline-rules	6	3054	August 25, 2019
Pipeline Grok function errors Graylog Central (peer support) pipeline-rules , route-to-streampl	8	1563	October 24, 2018
Brackets not escaped in alert emails Graylog Central (peer support) pipeline-rules , html , alert	17	651	June 24, 2022
3.1 pipeline help Graylog Central (peer support) pipeline-rules , sidecar , winlogbeat	2	785	September 6, 2019

Pipeline rule: Escaping brackets in grok template

Related topics