Is there a way I can write a grok to do something like:
grok{
match => [ "Message_Data", "File \"C:\\\\Windows\\Prefetch\\DLL" or "New File \"C:\\\\Windows\\Prefetch\\DLL " ]
I don't want to have to write to separate statements for this match since i would just be duplicating everything
Use | to separate the different options (often combined with parentheses):
(some-subexpression|another-subexpression|...)© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.