grok not reading a word with hyphen

Question

This is my grok pattern

2017-09-25 08:58:17,861 p=14774 u=ec2-user | 14774 1506329897.86160: checking for any_errors_fatal

I'm trying to read the user but it's giving only ec2 , it's not giving the full word

Sorry i'm newer to the grok filter

My current pattern :

%{TIMESTAMP_ISO8601:timestamp} p=%{WORD:process_id} u=%{WORD:user_id}

Current output :

...
...
...
  "process_id": [
    [
      "14774"
    ]
  ],
  "user_id": [
    [
      "ec2"
    ]
  ]
}

Answer 1

WORD is defined as "\b\w+\b"

See https://github.com/logstash-plugins/logstash-patterns-core/blob/master/patterns/grok-patterns

• \b is a word boundary

• \w matches a single alphanumeric character (an alphabetic character, or a decimal digit) or "_"

• + means any number of the previous character. So \w+ means any number of characters

Note that \w does NOT match -

So to make it work instead of WORD use

(?<user_id>\b[\w\-]+\b)

This does not use the preddefined grok patterns but "raw" regexp

• the (?....) is used instead of %{ as it is "raw" regexp
• \- means a literal - sign
• [ ] means a character class. So [\w-] will match all the things \w does and - as well