From f744faeb68b0517b7d8e17395524198cab3e8bdb Mon Sep 17 00:00:00 2001 From: Bernd Ahlers Date: Wed, 29 May 2024 11:29:07 +0200 Subject: [PATCH] Fix an issue with type conversions The Match#capture method had a bug where it didn't remove the type conversion suffix of the field name when there was no match in the tested string. The Matcher now correctly removes the type suffix from the field name when there is no match for the sub-pattern. Refs https://github.com/Graylog2/graylog2-server/issues/18883 Refs https://github.com/Graylog2/graylog2-server/pull/18898 --- src/main/java/io/krakens/grok/api/Match.java | 3 +++ .../java/io/krakens/grok/api/GrokTest.java | 25 +++++++++++++++++++ 2 files changed, 28 insertions(+) diff --git a/src/main/java/io/krakens/grok/api/Match.java b/src/main/java/io/krakens/grok/api/Match.java index 5970726..5f576d4 100644 --- a/src/main/java/io/krakens/grok/api/Match.java +++ b/src/main/java/io/krakens/grok/api/Match.java @@ -162,6 +162,9 @@ private Map capture(boolean flattened ) throws GrokException { } } else if (!isKeepEmptyCaptures()) { return; + } else { + // Extract key to remove the type conversion suffix from the key. See: https://github.com/Graylog2/graylog2-server/issues/18883 + key = Converter.extractKey(key); } if (capture.containsKey(key)) { diff --git a/src/test/java/io/krakens/grok/api/GrokTest.java b/src/test/java/io/krakens/grok/api/GrokTest.java index 3bff5a8..1d2d6aa 100644 --- a/src/test/java/io/krakens/grok/api/GrokTest.java +++ b/src/test/java/io/krakens/grok/api/GrokTest.java @@ -681,4 +681,29 @@ public void testNamedGroupWithUnderscore() { String result = (String) grok.match(testString).capture().get(grokPatternName); assertEquals("test", result); } + + @Test + public void testConversion() { + // The Match#capture method had a bug where it didn't remove the type conversion part of the field name when + // there was no match in the tested string. In this example it put a "packets:long" field into the capture map + // instead of a "packets" field. + // See: + // - https://github.com/Graylog2/graylog2-server/issues/18883 + // - https://github.com/Graylog2/graylog2-server/pull/18898 + final Grok grok = compiler.compile("%{DATA:vendor_attack} against (?:server )?%{IP:destination_ip} (from %{IP:source_ip} )?detected(. %{NONNEGINT:packets:long})?"); + + final Map match1 = grok.match("DDOS against server 10.0.1.34 detected.").capture(); + + assertEquals("DDOS", match1.get("vendor_attack")); + assertEquals("10.0.1.34", match1.get("destination_ip")); + assertTrue("Should have \"packets\" field", match1.containsKey("packets")); + assertNull(match1.get("packets")); + + final Map match2 = grok.match("DDOS against server 10.0.1.34 detected. 1234567").capture(); + + assertEquals("DDOS", match2.get("vendor_attack")); + assertEquals("10.0.1.34", match2.get("destination_ip")); + assertTrue("Should have \"packets\" field", match2.containsKey("packets")); + assertEquals(1234567L, match2.get("packets")); + } }