[NIFI-9203] Improve GrokReader to be able to handle complex Grok expressions - ASF JIRA

Attach files

Attach Screenshot

Voters

Watch issue

Watchers

Create sub-task

Link

Clone

Update Comment Author

Replace String in Comment

Update Comment Visibility

Delete Comments

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 1.15.0
Component/s: None
Labels:
None

Description

The current GrokReader implementation cannot handle complex expressions like in the following scenario:

Suppose we have a custom Grok pattern file:

SYSLOGBASE_ISO8601 %{TIMESTAMP_ISO8601:timestamp} (?:%{SYSLOGFACILITY} )?%{SYSLOGHOST:logsource} %{SYSLOGPROG}:
LINE_1 %{SYSLOGBASE}%{GREEDYDATA:message}
LINE_2 %{SYSLOGBASE_ISO8601}%{GREEDYDATA:message}
LINE (?:%{LINE_1}|%{LINE_2})

If we set the Grok expression to:

%LINE

the service will fail for 2 reasons:

LINE_1 and LINE_2 define the same labels. The service will try to create a schema by adding fields for all labels encountered. This leads to duplicate fields in the schema which is not allowed.
When the used Grok library reads a record based on a complex expression it returns an array as a value as the complex expression can have multiple matches. NiFi in turn tries to handle it as a byte array.

Attachments

Issue Links

Add Link

links to

GitHub Pull Request #5376

Delete this link

Activity

Comment

This comment will be Viewable by All Users Viewable by All Users

Cancel

People

Assignee:: Tamas Palfy

Reporter:: Tamas Palfy

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 08/Sep/21 12:41

Updated:: 17/Sep/21 14:26

Resolved:: 17/Sep/21 14:26

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

Improve GrokReader to be able to handle complex Grok expressions

Details

Description

Attachments

Attachments

Issue Links

Activity

People

Dates

Time Tracking

Agile

Slack

Issue deployment