Can I use filter inside filter?

et159 · January 7, 2019, 7:08pm

I had a logstash configuration as below :

input {  
  3 input sources 
     }
filter {
    if [field] [source]== "source1" { 
      do ....
     }
     else [field] [source]== "source2" { 
      do ....
     }
     else if [field] [source]== "source3" { 
          grok {
                    matches => { {DATESTAMP:@when}  %{WORD:msg} } 
                     add_tag => "taged" 
          }

     }
  output {
       es: XXXXX
   }

I need to add some additional tags on specific msgs can I use filter again inside filter ?

Badger · January 7, 2019, 8:34pm

You can have multiple filters. It would help if you would show an example message and say what tags you want to add under what conditions.

et159 · January 8, 2019, 6:32pm

my problem when using second match inside grok it apply the tag to the whole logs and it should be applied to just one types of messages , I checked for the grok in the grok debugger website and for all my log it just pick the message I need it to be tagged , but in the server practice it add it to all logs ,

Badger · January 8, 2019, 6:53pm

You cannot put two match options in the same grok filter, it seems the second will overwrite the first. Suppose we have two lines of text: "y=1" and "x=2". If you want one tagged with X and one tagged with Y then this would work...

grok { match => { "message" => "x=%{NUMBER}" } add_tag => [ "X"] }
grok { match => { "message" => "y=%{NUMBER}" } add_tag => [ "Y"] }

The first will have

      "tags" => [
    [0] "_grokparsefailure",
    [1] "Y"
],

because the first grok fails to match, but the second does match so it does add a tag. The second will have

      "tags" => [
    [0] "X",
    [1] "_grokparsefailure"
],

and the order of the entries is reversed.

et159 · January 9, 2019, 10:26pm

I tried this , but I ran into a problem ,
my first grok is used to filter out the logs I need it from my record,

and from those logs I need to be able to pick two types of different messages and tag them [ start , end ] so I can used elapsed plugin for elapsed time calculation,

Badger · January 9, 2019, 10:31pm

What do the messages you care about look like?

et159 · January 9, 2019, 10:34pm

[Session Started ]

and for the end of process

[SessionEnded ]

Badger · January 9, 2019, 11:12pm

I am unclear what the problem is. The documentation for the elapsed filter has an example of doing one grok to add the taskStarted tag and one to add the taskTerminated tag. Why can't you do what the example does?

et159 · February 2, 2019, 4:15pm

I figured I had an issue with my elapsed filter not installed, so the configuration always wrong,
now installed and work well,

Thanks

system · March 2, 2019, 4:16pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.