Check for more than one text from the grok filtered message?

Kulasangar_Gowrisang · September 12, 2016, 12:07pm

I'm trying to find two log types from every single line of the log file, and if it match i'm assigning a log type to it by adding a log_type field.

This is a piece of snippet from the logstash config:

    filter {
    		
    		grok {
    			patterns_dir => ["/home/chamith/work/ELK/logstash/logstash-2.3.4/bin/patterns"]
    			match => { "message" => "^%{LOGTIMESTAMP:logtimestamp}%{GREEDYDATA}" }	
    		}
    		
                mutate {
    			add_field => { "log_type" => "" }
    		}
    		
    		if "Auth" and "CHARGE_EXCEEDS_LIMIT" in ["message"]{
    			mutate {
    				add_field => { "log_type" => "Auth CHARGE_EXCEEDS_LIMIT" }
    			}
    		
    		}
    		
    		if "Auth" and "INSUFFICIENT_FUNDS" in ["message"]{
    			mutate {
    				add_field => { "log_type" => "Auth INSUFFICIENT_FUNDS" }
    			}
    		
    		}

After trying this, when i checked it from Kibana, nothing has been assigned to the new field log_type, even though it has been created.

Where am i going wrong? Any help would be appreciated.

magnusbaeck · September 12, 2016, 1:28pm

if "Auth" and "CHARGE_EXCEEDS_LIMIT" in ["message"]{

If this is supposed to mean "if the message field contains both 'Auth' and 'CHARGE_EXCEEDS_LIMIT'" you need to write it like this:

 if "Auth" in [message] and "CHARGE_EXCEEDS_LIMIT" in [message] {

Kulasangar_Gowrisang · September 12, 2016, 3:19pm

Thanks, it works!

Topic		Replies	Views
Writing multiple grok filters Logstash	5	539	April 9, 2020
Logstash filter problem Logstash	3	311	April 19, 2018
Grok filter if [type] Logstash	5	6148	January 16, 2017
Grok with multiple matches - can i assign type based on match? Logstash	7	48063	November 4, 2022
Conditionals in Grok filter for more than one log type Logstash	12	1238	October 25, 2017

Check for more than one text from the grok filtered message?

Related topics