Docs do not mention that hyphens/dashes are not allowed in the semantic part of grok patterns
Description
Gliffy Diagrams
Activity
Show:

Philippe Weber June 7, 2013 at 4:39 AM
Fixed in grok and logstash
https://github.com/logstash/logstash/commit/fe859f9464da1034527a41b531340420e3d31ccd
While creating some custom grok patterns for my Apache logs, I got bit by the fact that dashes are apparently not allowed in the semantic part of grok patterns. When a dash is used in a semantic identifier, it will be truncated at the first occurrence, which can lead to unwanted merging of fields into arrays.
The issue is not so much this behaviour in and of itself (which I'm sure is there for technical reasons), but rather that this doesn't seem to be mentioned anywhere on the 'grok' filter's documentation pages.
Example:
Output (somewhat prettified for readability):
Note that there is one field "request" containing both values, rather than two separate fields "request-size" and "request-duration".