Fix an issue with type conversions (#4)

The Match#capture method had a bug where it didn't remove the type conversion suffix of the field name when there was no match in the tested string. The Matcher now correctly removes the type suffix from the field name when there is no match for the sub-pattern. Refs Graylog2/graylog2-server#18883 Refs Graylog2/graylog2-server#18898
graylog-labs · May 29, 2024 · 6bbfb99 · 6bbfb99
1 parent 99f6e69
commit 6bbfb99
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 0 deletions.
diff --git a/src/main/java/io/krakens/grok/api/Match.java b/src/main/java/io/krakens/grok/api/Match.java
@@ -162,6 +162,9 @@ private Map<String, Object> capture(boolean flattened ) throws GrokException {
         }
       } else if (!isKeepEmptyCaptures()) {
         return;
+      } else {
+        // Extract key to remove the type conversion suffix from the key. See: https://github.com/Graylog2/graylog2-server/issues/18883
+        key = Converter.extractKey(key);
       }
 
       if (capture.containsKey(key)) {

diff --git a/src/test/java/io/krakens/grok/api/GrokTest.java b/src/test/java/io/krakens/grok/api/GrokTest.java
@@ -681,4 +681,29 @@ public void testNamedGroupWithUnderscore() {
     String result = (String) grok.match(testString).capture().get(grokPatternName);
     assertEquals("test", result);
   }
+
+  @Test
+  public void testConversion() {
+    // The Match#capture method had a bug where it didn't remove the type conversion part of the field name when
+    // there was no match in the tested string. In this example it put a "packets:long" field into the capture map
+    // instead of a "packets" field.
+    // See:
+    //  - https://github.com/Graylog2/graylog2-server/issues/18883
+    //  - https://github.com/Graylog2/graylog2-server/pull/18898
+    final Grok grok = compiler.compile("%{DATA:vendor_attack} against (?:server )?%{IP:destination_ip} (from %{IP:source_ip} )?detected(. %{NONNEGINT:packets:long})?");
+
+    final Map<String, Object> match1 = grok.match("DDOS against server 10.0.1.34 detected.").capture();
+
+    assertEquals("DDOS", match1.get("vendor_attack"));
+    assertEquals("10.0.1.34", match1.get("destination_ip"));
+    assertTrue("Should have \"packets\" field", match1.containsKey("packets"));
+    assertNull(match1.get("packets"));
+
+    final Map<String, Object> match2 = grok.match("DDOS against server 10.0.1.34 detected. 1234567").capture();
+
+    assertEquals("DDOS", match2.get("vendor_attack"));
+    assertEquals("10.0.1.34", match2.get("destination_ip"));
+    assertTrue("Should have \"packets\" field", match2.containsKey("packets"));
+    assertEquals(1234567L, match2.get("packets"));
+  }
 }