Bug: quoted-string in v2 including quotes in extracted value

[ontholerian]

The version 2 quoted-string parser is incorrectly including the surrounding quotes in the extracted value, unlike version 1.

Sample log

$ cat quotedstring.log
"value1" "value2"
"value1" value2

Version 1 ruleset

$ cat quotedstring.v1.rb
rule=:%field1:quoted-string% %field2:op-quoted-string%

Version 1 works as expected

$ cat quotedstring.log | lognormalizer -e json -r quotedstring.v1.rb | jq --sort-keys .
{
  "field1": "value1",
  "field2": "value2"
}
{
  "field1": "value1",
  "field2": "value2"
}

Version 2 ruleset

$ cat quotedstring.v2.rb
version=2
rule=:%field1:quoted-string% %field2:op-quoted-string%

Version 2 has unexpected result

$ cat quotedstring.log | lognormalizer -e json -r quotedstring.v2.rb | jq --sort-keys .
{
  "field1": "\"value1\"",
  "field2": "value2"
}
{
  "field1": "\"value1\"",
  "field2": "value2"
}

[ontholerian]

I found a possible fix for this. src/parser.c#L1681, when the value is getting extracted, it does not strip off the quotes, unlike the OpQuotedParser does on L1636 right above it (+1 to the offset, -2 from the extracted length). I am not at a computer to submit a PR to fix this right now, but I can try to look into it hopefully this week unless someone else can do so faster.

[mjbnz]

I can confirm this bug - however, I have not looked into testing @ontholerian 's suggested fix.

[Rfferrao87]

I am running into the same problem, was this ever fixed? Thanks.

[dennis3484]

Same issue here. Looks like pull request #344 – that might fix the issue – has some incomplete checks and is not merged because of that.