Note that grok ingest processor patterns are not anchored (#11182)

github-actions[bot] · natebower · kolchfa-aws · github-actions[bot] · commit 19ddb25a9dc1 · 2025-10-15T14:48:30.000Z
* Note that grok ingest processor patterns are not anchored Signed-off-by: James Beckett <308470+hackery@users.noreply.github.com> * Grok ingest processor: add anchoring to pattern examples Signed-off-by: James Beckett <308470+hackery@users.noreply.github.com> * Update _ingest-pipelines/processors/grok.md Co-authored-by: kolchfa-aws <105444904+kolchfa-aws@users.noreply.github.com> Signed-off-by: Nathan Bower <nbower@amazon.com> --------- Signed-off-by: James Beckett <308470+hackery@users.noreply.github.com> Signed-off-by: Nathan Bower <nbower@amazon.com> Co-authored-by: Nathan Bower <nbower@amazon.com> Co-authored-by: kolchfa-aws <105444904+kolchfa-aws@users.noreply.github.com> (cherry picked from commit cbecfc1) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
diff --git a/_ingest-pipelines/processors/grok.md b/_ingest-pipelines/processors/grok.md
@@ -21,6 +21,9 @@ For a list of available predefined patterns, see [Grok patterns](https://github.
 
 The `grok` processor is built on the [Oniguruma regular expression library](https://github.com/kkos/oniguruma/blob/master/doc/RE) and supports all the patterns from that library. You can use the [Grok Debugger](https://grokdebugger.com/) tool to test and debug your grok expressions.
 
+Note that patterns are *not anchored*. For performance and reliability, include a start-of-line anchor (`^`) in your pattern.
+{: .note}
+
 ## Syntax
 
 The following is the basic syntax for the `grok` processor: 
@@ -69,7 +72,7 @@ PUT _ingest/pipeline/log_line
     {
       "grok": {
         "field": "message",
-        "patterns": ["%{IPORHOST:clientip} %{HTTPDATE:timestamp} %{NUMBER:response_status:int}"]
+        "patterns": ["^%{IPORHOST:clientip} %{HTTPDATE:timestamp} %{NUMBER:response_status:int}"]
       }
     }
   ]
@@ -158,7 +161,7 @@ PUT _ingest/pipeline/log_line
     {
       "grok": {
         "field": "message",
-        "patterns": ["The issue number %{NUMBER:issue_number} is %{STATUS:status}"],
+        "patterns": ["^The issue number %{NUMBER:issue_number} is %{STATUS:status}"],
         "pattern_definitions" : {
           "NUMBER" : "\\d{3,4}",
           "STATUS" : "open|closed"
@@ -182,7 +185,7 @@ PUT _ingest/pipeline/log_line
     {  
       "grok": {  
         "field": "message",  
-        "patterns": ["%{HTTPDATE:timestamp} %{IPORHOST:clientip}", "%{IPORHOST:clientip} %{HTTPDATE:timestamp} %{NUMBER:response_status:int}"],  
+        "patterns": ["^%{HTTPDATE:timestamp} %{IPORHOST:clientip}", "%{IPORHOST:clientip} %{HTTPDATE:timestamp} %{NUMBER:response_status:int}"],
         "trace_match": true  
       }  
     }  

Original file line number	Diff line number	Diff line change
`@@ -21,6 +21,9 @@ For a list of available predefined patterns, see [Grok patterns](https://github.`
`21`	`21`
`22`	`22`	The `grok` processor is built on the [Oniguruma regular expression library](https://github.com/kkos/oniguruma/blob/master/doc/RE) and supports all the patterns from that library. You can use the [Grok Debugger](https://grokdebugger.com/) tool to test and debug your grok expressions.
`23`	`23`
	`24`	+Note that patterns are not anchored. For performance and reliability, include a start-of-line anchor (`^`) in your pattern.
	`25`	`+{: .note}`
	`26`	`+`
`24`	`27`	`## Syntax`
`25`	`28`
`26`	`29`	The following is the basic syntax for the `grok` processor:
`@@ -69,7 +72,7 @@ PUT _ingest/pipeline/log_line`
`69`	`72`	`{`
`70`	`73`	`"grok": {`
`71`	`74`	`"field": "message",`
`72`		`- "patterns": ["%{IPORHOST:clientip} %{HTTPDATE:timestamp} %{NUMBER:response_status:int}"]`
	`75`	`+ "patterns": ["^%{IPORHOST:clientip} %{HTTPDATE:timestamp} %{NUMBER:response_status:int}"]`
`73`	`76`	`}`
`74`	`77`	`}`
`75`	`78`	`]`
`@@ -158,7 +161,7 @@ PUT _ingest/pipeline/log_line`
`158`	`161`	`{`
`159`	`162`	`"grok": {`
`160`	`163`	`"field": "message",`
`161`		`- "patterns": ["The issue number %{NUMBER:issue_number} is %{STATUS:status}"],`
	`164`	`+ "patterns": ["^The issue number %{NUMBER:issue_number} is %{STATUS:status}"],`
`162`	`165`	`"pattern_definitions" : {`
`163`	`166`	`"NUMBER" : "\\d{3,4}",`
`164`	`167`	`"STATUS" : "open\|closed"`
`@@ -182,7 +185,7 @@ PUT _ingest/pipeline/log_line`
`182`	`185`	`{`
`183`	`186`	`"grok": {`
`184`	`187`	`"field": "message",`
`185`		`- "patterns": ["%{HTTPDATE:timestamp} %{IPORHOST:clientip}", "%{IPORHOST:clientip} %{HTTPDATE:timestamp} %{NUMBER:response_status:int}"],`
	`188`	`+ "patterns": ["^%{HTTPDATE:timestamp} %{IPORHOST:clientip}", "%{IPORHOST:clientip} %{HTTPDATE:timestamp} %{NUMBER:response_status:int}"],`
`186`	`189`	`"trace_match": true`
`187`	`190`	`}`
`188`	`191`	`}`