Telegraf grok parsing error

telegraf

#1

I set up telegraf to use some custom grok patterns. One of the pattern files is the standard logstash grok patterns. The documentation suggests that the logstash patterns will work however I have noticed an error in the telegraf.log as follows:

2019-03-08T16:05:24Z E! [inputs.tail]: Error in plugin: E! Malformed log line in /motescan/scannet03/log/ag_history.log: [[Mar 08 2019, 16:05:22.781: rdata] Remote uploader version: 2.1.3], Error: error parsing regexp: invalid or unsupported Perl syntax: (?>

The offending part of the grok statement appears to be ‘(?>’ which is an ‘atomic group’. The logstash grok statements use this.

Has anyone else encountered this issue?

I am running telegraf 1.10.0


#2

It appears the google re2 syntax does not support atomic groups (they call it possessive match).


#3

The telegraf doc is confusing on this issue. The built-in grok patterns reference the logstash NUMBER pattern and the example(s) provided (https://github.com/influxdata/telegraf/blob/91cd17fd4094a15fdbea3121c73757b8d33f15d2/plugins/parsers/grok/influx_patterns.go#L43) suggest the NUMBER pattern should work. However, the NUMBER pattern uses both atomic groups and negative look-behind which google re2 does not support.

Has anyone used the NUMBER grok pattern with telegraf?


#4

NUMBER works fine.
Telegraf uses this library


#5

Thank you @virunephilosof. I found your grok patterns were baked into Telegraf. I suggested that the documentation should be updated to reflect this.