[question] Match a log against two grok expressions

[palmerabollo]

Imagine you want to match a log against two grok expressions, to see if the log matches any of the grok expressions.

Is that possible? The following code doesn't work:

        Grok g = new Grok();
        g.addPattern("DATA", ".*?");
        g.addPattern("NONNEGINT", "\b(?:[0-9]+)\b");
        g.compile("%{DATA}");
        g.compile("%{NONNEGINT}");
        Match m = g.match("hello");
        m.captures();
        System.out.println(m.isNull()); // true

But it works with a single call to addPattern:

        Grok g = new Grok();
        g.addPattern("DATA", ".*?");
        g.compile("%{DATA}");
        Match m = g.match("hello");
        m.captures();
        System.out.println(m.isNull()); // false

I think I'm missing something. Thanks

[anthonycorbacho]

Hi,

Long time ago, Pile would have been the answer, but its now deprecated. Basically what you need to do is to maintain a list of grok instance and try to match expression. Something like https://github.com/thekrakken/java-grok/blob/master/src/main/java/oi/thekraken/grok/api/Pile.java

[palmerabollo]

Thanks, Anthony. Why did you deprecate it? It looks like something useful to me. In fact I think that Grok and Pile could implement the same interface (with addPattern, match, etc) to work with them interchangeably.