Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Grok extractor expects "Store as field" in 2.0 alpha-4 #1883

Closed
jekelundh opened this issue Mar 3, 2016 · 6 comments
Closed

Grok extractor expects "Store as field" in 2.0 alpha-4 #1883

jekelundh opened this issue Mar 3, 2016 · 6 comments
Assignees
Labels
Milestone

Comments

@jekelundh
Copy link

@jekelundh jekelundh commented Mar 3, 2016

Problem description

Grok input extractor expects "Store as field" meaning only one field per extractor can be extracted.

Steps to reproduce the problem

  1. Add input extractor from search ->message->grok
  2. Apply grok pattern

Environment

Java: OpenJDK 64-Bit Server VM (build 25.71-b15, mixed mode)

  • Graylog Version: 2.0 Alpha-4
  • Elasticsearch Version: elasticsearch-2.1.0-1.noarch
  • MongoDB Version: mongodb-org-3.0.9-1.el7.x86_64
  • Operating System: CentOS Linux release 7.1.1503 (Core)
@jekelundh
Copy link
Author

@jekelundh jekelundh commented Mar 3, 2016

Forgot Java version:
OpenJDK Runtime Environment (build 1.8.0_71-b15)

@kroepke
Copy link
Member

@kroepke kroepke commented Mar 4, 2016

The UI is a little misleading, the grok extractor should create multiple fields, even though the interface suggests otherwise.
Are you sure the extractor is actually broken?

@jekelundh
Copy link
Author

@jekelundh jekelundh commented Mar 4, 2016

Hi Kay,
The extractor works (even with multiple extractions) but the "Store as
field" field is not populated. In 1.3.3 there is no such field so that
piece of code must have been accidentally copied from a similar function ?.
1.3.3
[image: Infogad bild 1]
2.0a4

//Johan[image: Infogad bild 2]
2016-03-04 14:16 GMT+01:00 Kay Roepke notifications@github.com:

The UI is a little misleading, the grok extractor should create multiple
fields, even though the interface suggests otherwise.
Are you sure the extractor is actually broken?


Reply to this email directly or view it on GitHub
#1883 (comment)
.

@kroepke kroepke added bug S3 P3 and removed to-verify labels Mar 4, 2016
@kroepke kroepke added this to the 2.0.0 milestone Mar 4, 2016
@kroepke
Copy link
Member

@kroepke kroepke commented Mar 4, 2016

Ah I see, yes, then that's probably a bug when we ported the code over. Thanks!

@123dev
Copy link

@123dev 123dev commented Mar 10, 2016

I was hoping it would allow us to extract a regex portion into the field specified in "Store as field".
For example with the following log data
kernel: DROP IN=br0 OUT=vlan2 SRC=10.1.1.15 DST=8.8.8.8
kernel: ACCEPT IN=br0 OUT=vlan2 SRC=10.1.1.15 DST=8.8.8.8

Grok pattern
kernel: (.*) IN=%{DATA:IN} OUT=%{DATA:OUT} SRC=%{IP,src} DST=%{IP,dst}

Hope to see DROP or ACCEPT in the field specified by Store as field.
I guess it was not meant to be.

Sorry to ask this question here, but it touches the grok patterns
Is it possible to do conditional match with GROK in graylog
Let's say the log might or might not contain MACSRC before SRC
Extract if it exist, continue on next field, if it does not

Thanks

@edmundoa edmundoa self-assigned this Apr 4, 2016
edmundoa added a commit that referenced this issue Apr 4, 2016
@edmundoa
Copy link
Member

@edmundoa edmundoa commented Apr 4, 2016

@123dev, please create a new issue if you want to submit a feature. Otherwise this will become real messy :)

@bernd bernd closed this in 57f785d Apr 12, 2016
@kroepke kroepke added the triaged label Sep 21, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants