grok regex parsing not matching a log. when specifying a group as optional, but not the last group

Question

Example:

info: 2014-10-28T22:39:46.593Z - info: an error occurred while trying to handle command: PlaceMarketOrderCommand, xkkdAAGRIl. Error: Insufficient Cash #userId=5 #orderId=Y5545

pattern:

> %{LOGLEVEL:stream_level}: %{TIMESTAMP_ISO8601:timestamp} -
> %{LOGLEVEL:log_level}: %{MESSAGE:message}
> (#userId=%{USER_ID:user_id})? (#orderId=%{ORDER_ID:order_id})?

extra patterns used:

USER_ID (\d+|None)
ORDER_ID .*
ORDER_ID_HASH \s*(#orderId=%{ORDER_ID:order_id})?
USER_ID_HASH \s*(#userId=%{USER_ID:user_id})?
MESSAGE (.*?)

Works fine: removing the optional last orderId also works

info: 2014-10-28T22:39:46.593Z - info: an error occurred while trying to handle command: PlaceMarketOrderCommand, xkkdAAGRIl. Error: Insufficient Cash #userId=5

but if I keep the orderId and remove the userId then I get a "no match"

info: 2014-10-28T22:39:46.593Z - info: an error occurred while trying to handle command: PlaceMarketOrderCommand, xkkdAAGRIl. Error: Insufficient Cash #orderId=Y5545

Also the user_id group is ending with a ? as an optional group..

working with the grok debugger in heroku:

Is this a bug? (logstash 1.4.2) missing something with the regex? (more probable.. but what?)

I looked at the regex lib grok is using and looks this syntax supposed to work. It does work for the last group (orderId) but not for the one before..

Thanks for the help!

score 1 · Answer 1 · answered Oct 29 '14 at 13:07

1

You are forcing a space to be before your optional last... you need to do ?:

%{LOGLEVEL:stream_level}: %{TIMESTAMP_ISO8601:timestamp} -> %{LOGLEVEL:log_level}: %{MESSAGE:message} ?(#userId=%{USER_ID:user_id})? ?(#orderId=%{ORDER_ID:order_id})?

answered Oct 29 '14 at 13:07

Alcanzar

16,985
6
42
59

grok regex parsing not matching a log. when specifying a group as optional, but not the last group

1 Answers1