Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug: quoted-string in v2 including quotes in extracted value #186

Open
ontholerian opened this issue Jan 12, 2016 · 4 comments · May be fixed by #344
Open

Bug: quoted-string in v2 including quotes in extracted value #186

ontholerian opened this issue Jan 12, 2016 · 4 comments · May be fixed by #344

Comments

@ontholerian
Copy link
Contributor

The version 2 quoted-string parser is incorrectly including the surrounding quotes in the extracted value, unlike version 1.

Sample log

$ cat quotedstring.log
"value1" "value2"
"value1" value2

Version 1 ruleset

$ cat quotedstring.v1.rb
rule=:%field1:quoted-string% %field2:op-quoted-string%

Version 1 works as expected

$ cat quotedstring.log | lognormalizer -e json -r quotedstring.v1.rb | jq --sort-keys .
{
  "field1": "value1",
  "field2": "value2"
}
{
  "field1": "value1",
  "field2": "value2"
}

Version 2 ruleset

$ cat quotedstring.v2.rb
version=2
rule=:%field1:quoted-string% %field2:op-quoted-string%

Version 2 has unexpected result

$ cat quotedstring.log | lognormalizer -e json -r quotedstring.v2.rb | jq --sort-keys .
{
  "field1": "\"value1\"",
  "field2": "value2"
}
{
  "field1": "\"value1\"",
  "field2": "value2"
}
@ontholerian
Copy link
Contributor Author

I found a possible fix for this. src/parser.c#L1681, when the value is getting extracted, it does not strip off the quotes, unlike the OpQuotedParser does on L1636 right above it (+1 to the offset, -2 from the extracted length). I am not at a computer to submit a PR to fix this right now, but I can try to look into it hopefully this week unless someone else can do so faster.

@mjbnz
Copy link

mjbnz commented Dec 4, 2019

I can confirm this bug - however, I have not looked into testing @ontholerian 's suggested fix.

@Rfferrao87
Copy link

I am running into the same problem, was this ever fixed? Thanks.

@ontholerian ontholerian linked a pull request Oct 8, 2020 that will close this issue
Open
@dennis3484
Copy link

Same issue here. Looks like pull request #344 – that might fix the issue – has some incomplete checks and is not merged because of that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fixed quoted-string from including the quotes in the extracted value ontholerian/liblognorm
4 participants
@dennis3484 @mjbnz @ontholerian @Rfferrao87