Check for more than one text from the grok filtered message?

Kulasangar_Gowrisang · September 12, 2016, 12:07pm

I'm trying to find two log types from every single line of the log file, and if it match i'm assigning a log type to it by adding a log_type field.

This is a piece of snippet from the logstash config:

    filter {
    		
    		grok {
    			patterns_dir => ["/home/chamith/work/ELK/logstash/logstash-2.3.4/bin/patterns"]
    			match => { "message" => "^%{LOGTIMESTAMP:logtimestamp}%{GREEDYDATA}" }	
    		}
    		
                mutate {
    			add_field => { "log_type" => "" }
    		}
    		
    		if "Auth" and "CHARGE_EXCEEDS_LIMIT" in ["message"]{
    			mutate {
    				add_field => { "log_type" => "Auth CHARGE_EXCEEDS_LIMIT" }
    			}
    		
    		}
    		
    		if "Auth" and "INSUFFICIENT_FUNDS" in ["message"]{
    			mutate {
    				add_field => { "log_type" => "Auth INSUFFICIENT_FUNDS" }
    			}
    		
    		}

After trying this, when i checked it from Kibana, nothing has been assigned to the new field log_type, even though it has been created.

Where am i going wrong? Any help would be appreciated.

magnusbaeck · September 12, 2016, 1:28pm

if "Auth" and "CHARGE_EXCEEDS_LIMIT" in ["message"]{

If this is supposed to mean "if the message field contains both 'Auth' and 'CHARGE_EXCEEDS_LIMIT'" you need to write it like this:

 if "Auth" in [message] and "CHARGE_EXCEEDS_LIMIT" in [message] {

Kulasangar_Gowrisang · September 12, 2016, 3:19pm

Thanks, it works!

Topic		Replies	Views
Conditionals in Grok filter for more than one log type Logstash	12	1181	October 25, 2017
Grok The correct syntax to match against multiple patterns Logstash	1	23	August 31, 2024
Writing multiple grok filters Logstash	5	526	April 9, 2020
How to handle multiple match in logstash filter Logstash	6	9969	September 8, 2017
Grok filter for log files in logstash Logstash	14	2475	February 7, 2020

Check for more than one text from the grok filtered message?

Related Topics