Cherry-pick #17428 to 7.x: Fix redundant operator in activemq ingest pipeline #17440
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Grok processor has a redundant `*` operator in a regular expression,
which causes the following warning to be printed to the Elasticsearch
logs every time the pipeline is loaded:
```
regular expression has redundant nested repeat operator * /(?<TIMESTAMP_ISO8601:timestamp>(?:(?>\d\d){1,2})-(?:(?:0?[1-9]|1[0-2]))-(?:(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9]))[T ](?:(?:2[0123]|[01][0-9])):?(?:(?:[0-5][0-9]))(?::?(?:(?:(?:[0-5]?[0-9]|60)(?:[:.,][0-9]+)?)))?(?:(?:Z|[+-](?:(?:2[0123]|[01]?[0-9]))(?::?(?:(?:[0-5][0-9])))))?)(?:\s*)\|(?:\s*)(?<LOGLEVEL:log.level>([Aa]lert|ALERT|[Tt]race|TRACE|[Dd]ebug|DEBUG|[Nn]otice|NOTICE|[Ii]nfo|INFO|[Ww]arn?(?:ing)?|WARN?(?:ING)?|[Ee]rr?(?:or)?|ERR?(?:OR)?|[Cc]rit?(?:ical)?|CRIT?(?:ICAL)?|[Ff]atal|FATAL|[Ss]evere|SEVERE|EMERG(?:ENCY)?|[Ee]merg(?:ency)?))(?:\s*)\|(?:\s*)(?<NOPIPEGREEDYDATA:message>((?! \|).)*)(?:\s*)\|(?:\s*)(?<NOPIPEGREEDYDATA:activemq.caller>((?! \|).)*)(?:\s*)\|(?:\s*)(?<THREAD_NAME:activemq.thread>((?!
).)*)(?:\s*)?(?<GREEDYMULTILINE:activemq.log.stack_trace>(.|\n|\t)*)/
```
(cherry picked from commit 543a5f4)
adriansr
force-pushed
the
backport_17428_7.x
branch
from
92aada7
to
52077a9
Compare
|
Pinging @elastic/siem (Team:SIEM) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Cherry-pick of PR #17428 to 7.x branch. Original message:
Grok processor has a redundant
*operator in a regular expression, which causes the following warning to be printed to the Elasticsearch logs every time the pipeline is loaded:In this case the redundancy is caused by following a
{SPACE}expression followed by a match-zero-or-one operator:?. TheSPACEpattern expands to(?:\s*)which already matches zero or more spaces. Perhaps a better name would have beenSPACES.I'm still seeing this error after upgrading Filebeat
if you're still seeing this error after upgrading Filebeat, note that the error is still printed when an Elasticsearch node is started if pipelines for older versions are installed (
filebeat-X.Y.Z-elasticsearch-gc-pipelineforX.Y.Z<7.7.0). A newer version won't remove existing pipelines.Relates #15900 #17156