Are multiple grok's ok?

I am parsing generic log4net logs, so all have timestamp threadid level message but only a small percentage have something contained within the remaining message such as "User login = 'USER'".

my question is can I have multiple groks where primary one adds the timestamp threadid level and tempMessage fields, but if another wanted pattern is found I can add fields such as user?

What I'm thinking of is
> grok {

  match => { "message" => "%{TIMESTAMP_ISO8601:sourceTimestamp} \[%{NUMBER:threadId}\] %{LOGLEVEL:level} %{GREEDYDATA:tempMessage}" }

grok {
match => { "tempMessage" => "User login = '%{STRING:user}'"

Yep, that's perfectly fine! :slight_smile:

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.