Fix an issue with type conversions (#4)

bernd · web-flow · commit 6bbfb99342e7 · 2024-05-29T12:16:15.000+02:00
The Match#capture method had a bug where it didn't remove the type conversion suffix of the field name when there was no match in the tested string. The Matcher now correctly removes the type suffix from the field name when there is no match for the sub-pattern. Refs Graylog2/graylog2-server#18883 Refs Graylog2/graylog2-server#18898
diff --git a/src/main/java/io/krakens/grok/api/Match.java b/src/main/java/io/krakens/grok/api/Match.java
@@ -162,6 +162,9 @@ private Map<String, Object> capture(boolean flattened ) throws GrokException {
         }
       } else if (!isKeepEmptyCaptures()) {
         return;
+      } else {
+        // Extract key to remove the type conversion suffix from the key. See: https://github.com/Graylog2/graylog2-server/issues/18883
+        key = Converter.extractKey(key);
       }
 
       if (capture.containsKey(key)) {
diff --git a/src/test/java/io/krakens/grok/api/GrokTest.java b/src/test/java/io/krakens/grok/api/GrokTest.java
@@ -681,4 +681,29 @@ public void testNamedGroupWithUnderscore() {
     String result = (String) grok.match(testString).capture().get(grokPatternName);
     assertEquals("test", result);
   }
+
+  @Test
+  public void testConversion() {
+    // The Match#capture method had a bug where it didn't remove the type conversion part of the field name when
+    // there was no match in the tested string. In this example it put a "packets:long" field into the capture map
+    // instead of a "packets" field.
+    // See:
+    //  - https://github.com/Graylog2/graylog2-server/issues/18883
+    //  - https://github.com/Graylog2/graylog2-server/pull/18898
+    final Grok grok = compiler.compile("%{DATA:vendor_attack} against (?:server )?%{IP:destination_ip} (from %{IP:source_ip} )?detected(. %{NONNEGINT:packets:long})?");
+
+    final Map<String, Object> match1 = grok.match("DDOS against server 10.0.1.34 detected.").capture();
+
+    assertEquals("DDOS", match1.get("vendor_attack"));
+    assertEquals("10.0.1.34", match1.get("destination_ip"));
+    assertTrue("Should have \"packets\" field", match1.containsKey("packets"));
+    assertNull(match1.get("packets"));
+
+    final Map<String, Object> match2 = grok.match("DDOS against server 10.0.1.34 detected. 1234567").capture();
+
+    assertEquals("DDOS", match2.get("vendor_attack"));
+    assertEquals("10.0.1.34", match2.get("destination_ip"));
+    assertTrue("Should have \"packets\" field", match2.containsKey("packets"));
+    assertEquals(1234567L, match2.get("packets"));
+  }
 }

Original file line number	Diff line number	Diff line change
`@@ -162,6 +162,9 @@ private Map<String, Object> capture(boolean flattened ) throws GrokException {`
`162`	`162`	`}`
`163`	`163`	`} else if (!isKeepEmptyCaptures()) {`
`164`	`164`	`return;`
	`165`	`+ } else {`
	`166`	`+ // Extract key to remove the type conversion suffix from the key. See: https://github.com/Graylog2/graylog2-server/issues/18883`
	`167`	`+ key = Converter.extractKey(key);`
`165`	`168`	`}`
`166`	`169`
`167`	`170`	`if (capture.containsKey(key)) {`