New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Grok extractor expects "Store as field" in 2.0 alpha-4 #1883

Closed
jekelundh opened this Issue Mar 3, 2016 · 6 comments

Comments

Projects
None yet
4 participants
@jekelundh

jekelundh commented Mar 3, 2016

Problem description

Grok input extractor expects "Store as field" meaning only one field per extractor can be extracted.

Steps to reproduce the problem

  1. Add input extractor from search ->message->grok
  2. Apply grok pattern

Environment

Java: OpenJDK 64-Bit Server VM (build 25.71-b15, mixed mode)

  • Graylog Version: 2.0 Alpha-4
  • Elasticsearch Version: elasticsearch-2.1.0-1.noarch
  • MongoDB Version: mongodb-org-3.0.9-1.el7.x86_64
  • Operating System: CentOS Linux release 7.1.1503 (Core)
@jekelundh

This comment has been minimized.

jekelundh commented Mar 3, 2016

Forgot Java version:
OpenJDK Runtime Environment (build 1.8.0_71-b15)

@kroepke

This comment has been minimized.

Member

kroepke commented Mar 4, 2016

The UI is a little misleading, the grok extractor should create multiple fields, even though the interface suggests otherwise.
Are you sure the extractor is actually broken?

@jekelundh

This comment has been minimized.

jekelundh commented Mar 4, 2016

Hi Kay,
The extractor works (even with multiple extractions) but the "Store as
field" field is not populated. In 1.3.3 there is no such field so that
piece of code must have been accidentally copied from a similar function ?.
1.3.3
[image: Infogad bild 1]
2.0a4

//Johan[image: Infogad bild 2]
2016-03-04 14:16 GMT+01:00 Kay Roepke notifications@github.com:

The UI is a little misleading, the grok extractor should create multiple
fields, even though the interface suggests otherwise.
Are you sure the extractor is actually broken?


Reply to this email directly or view it on GitHub
#1883 (comment)
.

@kroepke kroepke added bug S3 P3 and removed to-verify labels Mar 4, 2016

@kroepke kroepke added this to the 2.0.0 milestone Mar 4, 2016

@kroepke

This comment has been minimized.

Member

kroepke commented Mar 4, 2016

Ah I see, yes, then that's probably a bug when we ported the code over. Thanks!

@123dev

This comment has been minimized.

123dev commented Mar 10, 2016

I was hoping it would allow us to extract a regex portion into the field specified in "Store as field".
For example with the following log data
kernel: DROP IN=br0 OUT=vlan2 SRC=10.1.1.15 DST=8.8.8.8
kernel: ACCEPT IN=br0 OUT=vlan2 SRC=10.1.1.15 DST=8.8.8.8

Grok pattern
kernel: (.*) IN=%{DATA:IN} OUT=%{DATA:OUT} SRC=%{IP,src} DST=%{IP,dst}

Hope to see DROP or ACCEPT in the field specified by Store as field.
I guess it was not meant to be.

Sorry to ask this question here, but it touches the grok patterns
Is it possible to do conditional match with GROK in graylog
Let's say the log might or might not contain MACSRC before SRC
Extract if it exist, continue on next field, if it does not

Thanks

@edmundoa edmundoa self-assigned this Apr 4, 2016

edmundoa added a commit that referenced this issue Apr 4, 2016

@edmundoa

This comment has been minimized.

Member

edmundoa commented Apr 4, 2016

@123dev, please create a new issue if you want to submit a feature. Otherwise this will become real messy :)

@bernd bernd closed this in 57f785d Apr 12, 2016

@kroepke kroepke added the triaged label Sep 21, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment