Pipeline rule: Escaping brackets in grok template


(Brendan Abolivier) #1

Hey there,

I’m working on parsing some HTTP logs from HAproxy. We format them in a special way for internal needs. Here’s what one line would look like:

10.155.26.5:55647 [id=D9B6AE8B:D95F_0AFFFF6D:01BB_5A43A5B9_F626A:37A0] [27/Dec/2017:13:52:57.470] frontend backend/server 0/0/0/204/204 200 2877 - - ---- 3/3/0/1/0 0/0 {host - user_agent - - -} {- private, -} "GET / HTTP/1.1"

To parse it, I’ve set up a pipeline with one rule:

rule "ha-gozy"
when
    // some checks on "source" and "application_name" fields
then
    let message_field = to_string($message.message);
    let pattern = "\\[id=%{NOTSPACE:req_id}\\] \\[%{DATE:req_date}:%{TIME:req_time}\\] %{NOTSPACE:frontend} %{NOTSPACE:backend}/%{NOTSPACE:server} %{NOTSPACE} %{NUMBER:status_code} \{%{NOTSPACE:hostname} %{NOTSPACE} %{NOTSPACE:user_agent} %{DATA}\} %{DATA} \"%{NOTSPACE:method} %{NOTSPACE:path} %{NOTSPACE:http_ver}\"";
    let fields = grok(to_string(pattern), message_field);
    set_fields(fields);
end

Notice the escaping of the curly brackets in pattern. I need to escape them because if I don’t, Grok will try to interpret them as a block to replace, and give me a nasty error.

However, I don’t seem to be able to escape them, because when I do so the editor gives me a bunch of errors:

Unknown function DATA in line 7 pos 253
no viable alternative at input '%'
token recognition error at: '\'
Unknown function DATA in line 7 pos 243
mismatched input '}' expecting '('
Unknown function NOTSPACE in line 7 pos 187
Unknown function NOTSPACE in line 7 pos 220
token recognition error at: '"\\[id=%{NOTSPACE:req_id}\\] \\[%{DATE:req_date}:%{TIME:req_time}\\] %{NOTSPACE:frontend} %{NOTSPACE:backend}\\/%{NOTSPACE:server} %{NOTSPACE} %{NUMBER:status_code} \{'
mismatched input ':' expecting '('
Unknown function hostname in line 7 pos 196
Unknown function NOTSPACE in line 7 pos 208
Unknown function user_agent in line 7 pos 229

and hitting “Save” doesn’t save the rule. FTR, the same happens when you try to escape square brackets.

Judging from the errors, it seems to me that \{ appears to be closing the string (with \} reopening it) or something like that. And I’m not sure I understand the reason behind it.

Is there something I missed, a better way of escaping brackets that doesn’t mess my string up?

Graylog’s version is v2.3.0+81f8228 fwiw.

Thanks!

Edit: I just realised that this was happening everytime I append \ and a character, with a few exception.


(system) #2

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.