cjslack
commented
1 year ago Hi, thanks for letting me know. I'll have to dig into this. It's probably an issue with the dependency https://github.com/cjslack/grok-js-web, which was forked from https://github.com/Beh01der/node-grok
I would avoid using flag modifiers for now. Alternatively, for your specific example you can do something like this to achieve the desired result:
op(id|ID)=%{NOTSPACE:event_operation_id}\]
grownuphacker
Using the test data:
- - - 2022-12-23T05:25:05.584Z ERROR vsan-mgmt[20337] [VsanHttpRequestWrapper::urlopen opID=noOpId] Exception while sending request : <urlopen error timed out>and the pattern:
- - - %{TIMESTAMP_ISO8601} %{NOTSPACE:event_severity} %{PROG:event_process}\[%{INT:event_pid}\] \[%{NOTSPACE:event_thread_name}( sub=%{NOTSPACE:event_sub_thread})? (?i)opid=%{NOTSPACE:event_operation_id}\]Matches up until the final sementic (event_operation_id). This field is not populated and any further fields are right-shifted. The exact same test data on multiple other grok debuggers does not give the same result.