only-matching with and-connected patterns not working as expected #512
Description
It appears that “only-matching” does not work as expected - when two patterns are connected with “and”.
I attempted to generate statistics on a bunch of huge firewall logs and discovered many false matches.
Here are some numbers (without named captures and format options):
Total count:
ugrep -Pz -e='((2025-10-07)T(09:|10:|11:)[\d:]*)[\d.]+Z\s' --and -e='deny' log.zst -c
113641
Only-Matching count:
ugrep -Pz -e='((2025-10-07)T(09:|10:|11:)[\d:]*)[\d.]+Z\s' --and -e='deny' log.zst -co
227282
Count lines excluding both matches:
ugrep -Pz -e='((2025-10-07)T(09:|10:|11:)[\d:]*)[\d.]+Z\s' --and -e='deny' log.zst | ugrep -Pv '((2025-10-07)T(09:|10:|11:)[\d:]*)[\d.]+Z\s' | ugrep -cPv deny
0
Count only-matching lines excluding the matches (the weird part, cause it should count 0):
ugrep -oPz -e='((2025-10-07)T(09:|10:|11:)[\d:]*)[\d.]+Z\s' --and -e='deny' log.zst | ugrep -Pv '((2025-10-07)T(09:|10:|11:)[\d:]*)[\d.]+Z\s' | ugrep -cPv deny
# ugrep 3.11.2 rhel9 returns:
1259
# ugrep 7.5.0 on archlinux returns:
310
The returned counts are always the same number.
Is this the expected behavior, or am I doing something wrong?