Unexpected pattern match behaviour

[grownuphacker]

Using the test data:
- - - 2022-12-23T05:25:05.584Z ERROR vsan-mgmt[20337] [VsanHttpRequestWrapper::urlopen opID=noOpId] Exception while sending request : <urlopen error timed out>

and the pattern:
- - - %{TIMESTAMP_ISO8601} %{NOTSPACE:event_severity} %{PROG:event_process}\[%{INT:event_pid}\] \[%{NOTSPACE:event_thread_name}( sub=%{NOTSPACE:event_sub_thread})? (?i)opid=%{NOTSPACE:event_operation_id}\]

Matches up until the final sementic (event_operation_id). This field is not populated and any further fields are right-shifted. The exact same test data on multiple other grok debuggers does not give the same result.

[cjslack]

Hi, thanks for letting me know. I'll have to dig into this. It's probably an issue with the dependency https://github.com/cjslack/grok-js-web, which was forked from https://github.com/Beh01der/node-grok

I would avoid using flag modifiers for now. Alternatively, for your specific example you can do something like this to achieve the desired result:

op(id|ID)=%{NOTSPACE:event_operation_id}\]

Full example here

[grownuphacker]

Thanks. I appreciate the workaround - and the tool, it's very useful.