Grok filter is not working when id has dashes

Question

I have a sample input like below.

[2022-01-06 19:51:42,143] [http-nio-8080-exec-7] DEBUG  [50a4f8740c30b9ca,c1b11682-1eeb-4538-b7f6-d0fb261b3e1d]

I implemented a grok filter to validate the text.

\[%{TIMESTAMP_ISO8601:timestamp}\] \[(?<threadname>[^\]]+)\] %{LOGLEVEL:logLevel}  \[%{WORD:traceId},%{WORD:correlationId}\]

When I validate it, it says there are no matches. But If I remove - in correlation id, that filter is working fine. Is there any modification to do to the filter to accept - in the correlation id?

score 1 · Accepted Answer · answered Jan 07 '22 at 07:09

1

Try this.

\[%{TIMESTAMP_ISO8601:timestamp}\] \[%{DATA:threadName}\] %{LOGLEVEL:logLevel}  \[%{DATA:traceId},%{DATA:correlationId}\]

answered Jan 07 '22 at 07:09

Bee

12,251
11
46
73

score 1 · Answer 2 · answered Jan 07 '22 at 07:12

Acording to this %{WORD} pattern is defined by this regular expression \b\w+\b

\w captures alphanumeric
\b captures word boundaries. It helps you to perform whole words only

So if your original text contains a - it will never be capturing it.

You can try %{DATA} instead as it captures .*?

Grok filter is not working when id has dashes

2 Answers2