Simplify grock pattern match

donoghuc · donoghuc · commit 63a51476db72 · 2025-04-09T13:56:54.000-07:00
The grok pattern is unanchored-by-default, we don't need the leading and trailing
wildcards.
diff --git a/x-pack/distributions/internal/observabilitySRE/qa/smoke/docker/logstash/pipeline/logstash.conf b/x-pack/distributions/internal/observabilitySRE/qa/smoke/docker/logstash/pipeline/logstash.conf
@@ -38,7 +38,7 @@ filter {
   
   if [log_content] =~ /json=/ {
     grok {
-      match => { "log_content" => ".*json=%{GREEDYDATA:json_string}.*" }
+      match => { "log_content" => "json=%{GREEDYDATA:json_string}" }
     }
     json {
       source => "json_string"

Original file line number	Diff line number	Diff line change
`@@ -38,7 +38,7 @@ filter {`
`38`	`38`
`39`	`39`	`if [log_content] =~ /json=/ {`
`40`	`40`	`grok {`
`41`		`- match => { "log_content" => ".json=%{GREEDYDATA:json_string}." }`
	`41`	`+ match => { "log_content" => "json=%{GREEDYDATA:json_string}" }`
`42`	`42`	`}`
`43`	`43`	`json {`
`44`	`44`	`source => "json_string"`