Docs do not mention that hyphens/dashes are not allowed in the semantic part of grok patterns

Description

While creating some custom grok patterns for my Apache logs, I got bit by the fact that dashes are apparently not allowed in the semantic part of grok patterns. When a dash is used in a semantic identifier, it will be truncated at the first occurrence, which can lead to unwanted merging of fields into arrays.

The issue is not so much this behaviour in and of itself (which I'm sure is there for technical reasons), but rather that this doesn't seem to be mentioned anywhere on the 'grok' filter's documentation pages.

Example:

Output (somewhat prettified for readability):

Note that there is one field "request" containing both values, rather than two separate fields "request-size" and "request-duration".

Gliffy Diagrams

Activity

Show:

Philippe Weber June 7, 2013 at 4:39 AM

Fixed

Details

Assignee

Reporter

Fix versions

Affects versions

Created March 18, 2013 at 11:06 PM
Updated June 7, 2013 at 4:39 AM
Resolved June 7, 2013 at 4:39 AM