I had a logstash configuration as below :
input {
3 input sources
}
filter {
if [field] [source]== "source1" {
do ....
}
else [field] [source]== "source2" {
do ....
}
else if [field] [source]== "source3" {
grok {
matches => { {DATESTAMP:@when} %{WORD:msg} }
add_tag => "taged"
}
}
output {
es: XXXXX
}
You can have multiple filters. It would help if you would show an example message and say what tags you want to add under what conditions.
my problem when using second match inside grok it apply the tag to the whole logs and it should be applied to just one types of messages , I checked for the grok in the grok debugger website and for all my log it just pick the message I need it to be tagged , but in the server practice it add it to all logs ,
You cannot put two match options in the same grok filter, it seems the second will overwrite the first. Suppose we have two lines of text: "y=1" and "x=2". If you want one tagged with X and one tagged with Y then this would work...
grok { match => { "message" => "x=%{NUMBER}" } add_tag => [ "X"] }
grok { match => { "message" => "y=%{NUMBER}" } add_tag => [ "Y"] }
The first will have
"tags" => [
[0] "_grokparsefailure",
[1] "Y"
],
because the first grok fails to match, but the second does match so it does add a tag. The second will have
"tags" => [
[0] "X",
[1] "_grokparsefailure"
],
and the order of the entries is reversed.
I tried this , but I ran into a problem ,
my first grok is used to filter out the logs I need it from my record,
and from those logs I need to be able to pick two types of different messages and tag them [ start , end ] so I can used elapsed plugin for elapsed time calculation,
What do the messages you care about look like?
[Session Started ]
and for the end of process
[SessionEnded ]
I am unclear what the problem is. The documentation for the elapsed filter has an example of doing one grok to add the taskStarted tag and one to add the taskTerminated tag. Why can't you do what the example does?
I figured I had an issue with my elapsed filter not installed, so the configuration always wrong,
now installed and work well,
Thanks
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.