Named capture groups create new fields in logstash and can cause unexpected behaviour. In most patterns that is not the case, but a handful of them name some fields.
For example, when using the URIHOST grok pattern, a field with the name port is created as one of the capture groups is named in the pattern definition.
Changing this would be a breaking change as some users might be relying on this behaviour. We could fix this in time for 7.x
Named capture groups create new fields in logstash and can cause unexpected behaviour. In most patterns that is not the case, but a handful of them name some fields.
For example, when using the
URIHOSTgrok pattern, a field with the nameportis created as one of the capture groups is named in the pattern definition. Changing this would be a breaking change as some users might be relying on this behaviour. We could fix this in time for 7.xURIHOST %{IPORHOST}(?::%{POSINT:port})?should be changed to
URIHOST %{IPORHOST}(?::%{POSINT})?My suggestion is to remove all named capture groups from https://github.com/logstash-plugins/logstash-patterns-core/blob/master/patterns/grok-patterns
Other patterns should continue to have name groups to make them easier to use, for example https://github.com/logstash-plugins/logstash-patterns-core/blob/master/patterns/haproxy