Hi,
I am using the below code to parse only required lines from my logfile and ignore the others, though the code is working i want to avoid the multiple OR conditions,can the strings in the OR conditions be read from another CSV or properties file using placeholders?
filter {
if ([message] =~ "SiteController Connection Accepted for SiteControllerIP=" or [message] =~ "Acknowledgement sent for SiteController Connection request for SiteControllerIP="){
grok {
patterns_dir => ["./patterns"]
match => { "message" => "%{PANACES_DATE:log_date}%{SPACE}[%{GREEDYDATA:threadname}]%{SPACE}%{WORD:module}%{SPACE}%{WORD:submodule}%{SPACE}[-]%{SPACE}::%{WORD:classname}::%{DATA:log_message}%{SPACE}%{IP:siteControllerIP}%{SPACE}[,]%{SPACE}%{WORD:siteControllerIDKey}[=]%{SPACE}%{NUMBER:siteControllerID}" }
}
}
else if ([message] =~ "Registered the agent with agentDetails:" or [message] =~ "Recieved heartBeat from the agent with the details = " or [message] =~ "Acknowledgement sent to the agent with agentDetails:" or [message] =~ "checkHealth: Disconnecting the Agent with the details " or [message] =~ "checkHealth::Agent is connected with agent details " or [message] =~"About to send heartbeat from server to agent" or [message] =~ "Successfully sent heartbeat to" or [message] =~ "rpc not possible for agent while sending heartbeat" or [message] =~ "Problem sending hb to agent" or [message] =~ "checkHealth: there where no activities on the socket for" or [message] =~"checkHealth: Disconnected the Agent with the details" or [message] =~ "checkHealth: socket.write is blocked for a while - something is really wrong - disconnecting for"){
grok {
patterns_dir => ["./patterns"]
match => { "message" => "%{PANACES_DATE:log_date}%{SPACE}[%{GREEDYDATA:threadname}]%{SPACE}%{WORD:module}%{SPACE}%{WORD:submodule}%{SPACE}[-]%{SPACE}::%{WORD:classname}::%{DATA:log_message}%{SPACE}%{WORD:agentKey}[=]%{SPACE}%{DATA:agentname}%{SPACE}%{WORD:agentIPKey}[=]%{SPACE}%{IP:agentIpAddress}%{SPACE}%{WORD:agentIdKey}[=]%{SPACE}%{NUMBER:agentId}%{SPACE}%{WORD:siteControllerIPKey}[=]%{SPACE}%{DATA:siteControllerIP}%{WORD:siteControllerIDKey}[=]%{SPACE}%{DATA:siteControllerID}" }
}
}
else{
drop { }
}
date {
match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
}
}
what i mean is can the below
else if ([message] =~ "Registered the agent with agentDetails:" or [message] =~ "Recieved heartBeat from the agent with the details = " or [message] =~ "Acknowledgement sent to the agent with agentDetails:" or [message] =~ "checkHealth: Disconnecting the Agent with the details " or [message] =~ "checkHealth::Agent is connected with agent details " or [message] =~"About to send heartbeat from server to agent" or [message] =~ "Successfully sent heartbeat to" or [message] =~ "rpc not possible for agent while sending heartbeat" or [message] =~ "Problem sending hb to agent" or [message] =~ "checkHealth: there where no activities on the socket for" or [message] =~"checkHealth: Disconnected the Agent with the details" or [message] =~ "checkHealth: socket.write is blocked for a while - something is really wrong - disconnecting for")
be like
else if ([message] in $(List_of messages))
Thanks