You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Description:
Composing grok patterns that share named captures will result in names to bind to the wrong capture in the context of the composition.
Reproduction steps:
Setup the following patterns file (/etc/logstash/patterns/general/test-patterns)
SSH_KEYFILE_ERROR (?<tags>error): (?<failure>Could not load host key): %{PATH:keyfile}
SSH_PASSWORD_FAIL (?<failure>Failed password) for %{USER:username} from %{IPORHOST:clientip} port %{INT:port} %{WORD:protocal}
AUTH_SSH (%{SSH_KEYFILE_ERROR}|%{SSH_PASSWORD_FAIL})
Run the patterns file using the following logstash config
I agree with you on the expected output. This behavior seems like a new bug, which may be expected given we did some internal changes to the grok library to improve performance and may have broken something.
I'd like to get some tests that show this bad behavior so we can ensure it stays fixed in the future.
(This issue was originally filed by @TheFlimFlam at elastic/logstash#2072)
Description:
Composing grok patterns that share named captures will result in names to bind to the wrong capture in the context of the composition.
Reproduction steps:
Setup the following patterns file (
/etc/logstash/patterns/general/test-patterns
)Run the patterns file using the following logstash config
Will print the following to standard out:
Expected output:
failure
which captures the text 'Failed password'username
should contain the text 'magicaluser'The text was updated successfully, but these errors were encountered: