Grok's GREEDYDATA ignores <string>

Description

I have a grok filter:

grok {
        type => "syslog_java"
        pattern => "<%{POSINT:syslog_pri}>%{GREEDYDATA:real_message}"
        add_tag => [ "should_be_replaced" ]
        tag_on_failure => "false"
}

If I input the following string:

<11>2013-06-27 16:39:39,351 ERROR emailHighPrioCS:149 - Something went wrong while sending a form for campaign nummers
Error:
<errors>
<error>
Value: respondee_gender was found in the response2_cols but no matching value was found in the http request</error>
</errors>

then syslog_pre="11" and real_message is "2013-06-27 16:39:39,351 ERROR emailHighPrioCS:149 - Something went wrong while sending a form for campaign nummers Error: Value: respondee_gender was found in the response2_cols but no matching value was found in the http request". This means that the data between the tags, including the tags themselves are lost in the process. This works with any string between < and >.

Linked issues

testing discovered

LOGSTASH-1866

Grok Filtering not picking up "<" character

Gliffy Diagrams

Activity

Show:

Philippe Weber April 11, 2014 at 7:27 AM

Cannot reproduce in master,
so it seems to have been fixed in the meanwhile

Richard Pijnenburg September 13, 2013 at 11:29 AM

We will have a look at this.
Please do note that your event seems to be a multi-line event.
Perhaps you also need the multiline filter.

Cheers.

Fixed

Details

Assignee

Philippe Weber

Reporter

Jacko Dirks

Affects versions

1.1.13

Created June 27, 2013 at 2:56 PM

Updated April 11, 2014 at 7:27 AM

Resolved April 11, 2014 at 7:27 AM

Configure