split Breaks Subsequent groks

Description

If you use the split {} filter, then have a grok after it, the grok never matches.

Example configuration:
input {

stdin {
codec => "plain"
type => "blah"
}

}

  1. ____________________________________________________________________________________________

  2. ____________________________________________________________________________________________

  3. ____________________________________________________________________________________________

filter {

if [type] == "blah" {
split {}
grok {
match => [ "message", "%{GREEDYDATA:test}" ]
}
}

}

  1. ____________________________________________________________________________________________

  2. ____________________________________________________________________________________________

  3. ____________________________________________________________________________________________

output {

stdout {
debug => "true"
codec => "rubydebug"
}

}

Activity

Show:
Chris Decker
September 19, 2013, 7:10 PM

Tested and confirmed as a bug by whack via IRC.

Philippe Weber
September 20, 2013, 4:09 AM

Duplicate of

Daniel Morrow
November 5, 2013, 2:06 PM

Hi guys,

Confirming that I am experiencing this issue also, no filters are applied to an event following a split filter being used. Is there any planned work to resolve this issue?

kind regards

Daniel Morrow

Chris Decker
November 5, 2013, 2:26 PM

@Daniel Morrow: I worked around the issue by adding codec => "line" on my input. I'm not sure if it'll work for your situation, but it did for mine.

Daniel Morrow
November 11, 2013, 4:43 PM

Hi Chris,

apologies for the delayed response, sadly the the "line" codec will not work in my scenario, my input is a multilined event, and the split events need some context from the entire multilined event.

thanks anyway

kind regards

Daniel

Assignee

Philippe Weber

Reporter

Chris Decker

Labels

Affects versions

Configure