I have filter like below:
filter {
grok {
match => {
"message" => "(?<user_agent>^.{3}) %{GREEDYDATA:body}"
}
}
can I put "(?<user_agent>^.{3}) %{GREEDYDATA:body} " inside a variable and use it as per condiion.
a = "(?<user_agent>^.{3}) %{GREEDYDATA:body}"
b = "(?<user_agent2>^.{3}) %{GREEDYDATA:body}"
filter {
if ("key==a") {
grok {
match => {
"message" => a
}
}
} else {
grok {
match => {
"message" => b
}
}
}
Thanks for reading and helping
Badger
April 30, 2019, 2:48pm
2
No, you cannot. Nor can you use a sprintf reference in the grok pattern.
1 Like
A_B
April 30, 2019, 2:50pm
3
Hi @rahulkothanath ,
I do not think that will work but not 100%...
What you can do is make a pattern file and give names to the combined patterns. You can also try more than one pattern using pipe.
The pattern file would like something like
MY_PATTERN_1 "(?<user_agent>^.{3}) %{GREEDYDATA:body}"
MY_PATTERN_2 "(?<user_agent2>^.{3}) %{GREEDYDATA:body}"
ALL_MY_PATTERNS (%{MY_PATTERN_1}|%{MY_PATTERN_2})
Put the above pattern file in /path/to/patterns. And for the filter you configure
grok {
patterns_dir => [ "/path/to/patterns" ]
match => { "message" => "%{ALL_MY_PATTERNS}" }
}
Patterns will be tried until the first match is found.
1 Like
Thanks for the response. Will try pattern_dir and let u know.
system
May 28, 2019, 2:57pm
5
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.