user3296520
Reputation: 361
Logstash filter with more matcher
I want to define a logstash filter with than one matcher because in one .log file there is more type of logged message. As I checked if I have one logfile and I define more separated filter then just the first filter running on the row.
Upvotes: 0
Views: 169
Answers (1)
Alcanzar
Reputation: 17155
You can use a grok filter with multiple patterns, or you can use if statements to conditionally parse.
To use multiple patterns, you'd just list them on the grok:
grok {
match => [ "message",
"Error on line (?<line>\d+)",
"Exception in (?<place>\d+)",
"Something else"
]
}
Logstash will evaluate them in order and stop when one of them matches (or give you a tag of _grokparsefailure if none match)
The other thing you can do is conditional evaluation:
if [message] =~ /Some pattern/ {
grok {
match => ['message','Some pattern of (?<number>\d+) stuff']
}
} else if [message] =~ /Some other pattern/ {
...
}
Upvotes: 2
Related Questions
- Logstash grok multiple match
- Logstash filtering using grok to filter the log with []
- How to handle non-matching Logstash grok filters
- LOGSTASH filter | Multiple patterns for same file
- GROK Pattern filtering
- Logstash grok filter regex
- Logstash Grok filter getting multiple values per match
- Logstash - grok configuration filter
- Chaining grok filter patterns for logstash
- logstash fails to match a grok filter