Docs do not mention that hyphens/dashes are not allowed in the semantic part of grok patterns

Description

While creating some custom grok patterns for my Apache logs, I got bit by the fact that dashes are apparently not allowed in the semantic part of grok patterns. When a dash is used in a semantic identifier, it will be truncated at the first occurrence, which can lead to unwanted merging of fields into arrays.

The issue is not so much this behaviour in and of itself (which I'm sure is there for technical reasons), but rather that this doesn't seem to be mentioned anywhere on the 'grok' filter's documentation pages.

Example:

Output (somewhat prettified for readability):

Note that there is one field "request" containing both values, rather than two separate fields "request-size" and "request-duration".

Environment

None

Status

Assignee

Jordan Sissel

Reporter

JDR

Labels

None

Fix versions

Affects versions

Priority

Configure