search

honzahommer / grok-js

Regular expression template library for Node.js inspired by logstash grok filter module
ISC License
14 stars 6 forks source link

Parsing Bug? #18

Closed lcharbon closed 4 years ago

lcharbon commented 4 years ago

Using the below pattern:

%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{WORD:severity}%{SPACE}%{WORD:component}%{SPACE}\[%{DATA:context}\]%{SPACE}%{GREEDYDATA:message}

To parse the below string:

2019-12-10T17:20:54.504-0500 I  COMMAND  [conn949] command test.$cmd appName: "MongoDB Compass Community" command: delete { delete: "tests", deletes: [ { q: { _id: ObjectId('5ddc2d9c830c46e8a2b4591e') }, limit: 1 } ], ordered: true, lsid: { id: UUID("11efa940 - 8535 - 4a8e - 8f61 - 147f3403a770") }, $db: "test" } numYields:0 reslen:45 locks:{ ParallelBatchWriterMode: { acquireCount: { r: 2 } }, ReplicationStateTransition: { acquireCount: { w: 2 } }, Global: { acquireCount: { r: 1, w: 1 } }, Database: { acquireCount: { w: 1 } }, Collection: { acquireCount: { w: 1 } }, Mutex: { acquireCount: { r: 3 } } } flowControl:{ acquireCount: 1 } storage:{} protocol:op_msg 0ms

and grok-js returns null. However when I remove the \[ and \] the string is parsed but the context variable is not. Is there something wrong with my pattern or is this a bug?

honzahommer commented 4 years ago

You need to use double backlash in your pattern...

%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{WORD:severity}%{SPACE}%{WORD:component}%{SPACE}\\[%{DATA:context}\\]%{SPACE}%{GREEDYDATA:message}

...

{ timestamp: "2019-12-10T17:20:54.504-0500",
  severity: "I",
  component: 'COMMAND',
  context: "conn949",
  message: "..." }