From 355727a0c35703e403f17e7b6d686643de2d6a6f Mon Sep 17 00:00:00 2001
From: James Beckett <308470+hackery@users.noreply.github.com>
Date: Fri, 3 Oct 2025 15:01:19 +0100
Subject: [PATCH 1/2] Note that grok ingest processor patterns are not anchored

Signed-off-by: James Beckett <308470+hackery@users.noreply.github.com>
---
 _ingest-pipelines/processors/grok.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/_ingest-pipelines/processors/grok.md b/_ingest-pipelines/processors/grok.md
index c3be935a77..7e2f0041da 100644
--- a/_ingest-pipelines/processors/grok.md
+++ b/_ingest-pipelines/processors/grok.md
@@ -21,6 +21,8 @@ For a list of available predefined patterns, see [Grok patterns](https://github.
 
 The `grok` processor is built on the [Oniguruma regular expression library](https://github.com/kkos/oniguruma/blob/master/doc/RE) and supports all the patterns from that library. You can use the [Grok Debugger](https://grokdebugger.com/) tool to test and debug your grok expressions.
 
+Note that patterns are *not anchored* - for performance and reliability it is advisable to include at least a start-of-line anchor (`^`)
+
 ## Syntax
 
 The following is the basic syntax for the `grok` processor: 

From feac586871795e58127032e5dee872ec7fc7b5a0 Mon Sep 17 00:00:00 2001
From: James Beckett <308470+hackery@users.noreply.github.com>
Date: Sat, 4 Oct 2025 19:36:45 +0100
Subject: [PATCH 2/2] Grok ingest processor: add anchoring to pattern examples

Signed-off-by: James Beckett <308470+hackery@users.noreply.github.com>
---
 _ingest-pipelines/processors/grok.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/_ingest-pipelines/processors/grok.md b/_ingest-pipelines/processors/grok.md
index 7e2f0041da..cf5dea3460 100644
--- a/_ingest-pipelines/processors/grok.md
+++ b/_ingest-pipelines/processors/grok.md
@@ -71,7 +71,7 @@ PUT _ingest/pipeline/log_line
     {
       "grok": {
         "field": "message",
-        "patterns": ["%{IPORHOST:clientip} %{HTTPDATE:timestamp} %{NUMBER:response_status:int}"]
+        "patterns": ["^%{IPORHOST:clientip} %{HTTPDATE:timestamp} %{NUMBER:response_status:int}"]
       }
     }
   ]
@@ -160,7 +160,7 @@ PUT _ingest/pipeline/log_line
     {
       "grok": {
         "field": "message",
-        "patterns": ["The issue number %{NUMBER:issue_number} is %{STATUS:status}"],
+        "patterns": ["^The issue number %{NUMBER:issue_number} is %{STATUS:status}"],
         "pattern_definitions" : {
           "NUMBER" : "\\d{3,4}",
           "STATUS" : "open|closed"
@@ -184,7 +184,7 @@ PUT _ingest/pipeline/log_line
     {  
       "grok": {  
         "field": "message",  
-        "patterns": ["%{HTTPDATE:timestamp} %{IPORHOST:clientip}", "%{IPORHOST:clientip} %{HTTPDATE:timestamp} %{NUMBER:response_status:int}"],  
+        "patterns": ["^%{HTTPDATE:timestamp} %{IPORHOST:clientip}", "%{IPORHOST:clientip} %{HTTPDATE:timestamp} %{NUMBER:response_status:int}"],
         "trace_match": true  
       }  
     }