Check for more than one text from the grok filtered message?

Kulasangar_Gowrisang · September 12, 2016, 12:07pm

I'm trying to find two log types from every single line of the log file, and if it match i'm assigning a log type to it by adding a log_type field.

This is a piece of snippet from the logstash config:

    filter {
    		
    		grok {
    			patterns_dir => ["/home/chamith/work/ELK/logstash/logstash-2.3.4/bin/patterns"]
    			match => { "message" => "^%{LOGTIMESTAMP:logtimestamp}%{GREEDYDATA}" }	
    		}
    		
                mutate {
    			add_field => { "log_type" => "" }
    		}
    		
    		if "Auth" and "CHARGE_EXCEEDS_LIMIT" in ["message"]{
    			mutate {
    				add_field => { "log_type" => "Auth CHARGE_EXCEEDS_LIMIT" }
    			}
    		
    		}
    		
    		if "Auth" and "INSUFFICIENT_FUNDS" in ["message"]{
    			mutate {
    				add_field => { "log_type" => "Auth INSUFFICIENT_FUNDS" }
    			}
    		
    		}

After trying this, when i checked it from Kibana, nothing has been assigned to the new field log_type, even though it has been created.

Where am i going wrong? Any help would be appreciated.

magnusbaeck · September 12, 2016, 1:28pm

if "Auth" and "CHARGE_EXCEEDS_LIMIT" in ["message"]{

If this is supposed to mean "if the message field contains both 'Auth' and 'CHARGE_EXCEEDS_LIMIT'" you need to write it like this:

 if "Auth" in [message] and "CHARGE_EXCEEDS_LIMIT" in [message] {

Kulasangar_Gowrisang · September 12, 2016, 3:19pm

Thanks, it works!

Topic		Replies	Views
Logstash Multiple Grok Add Field Logstash	3	1009	August 24, 2018
Conditionals in Grok filter for more than one log type Logstash	12	1182	October 25, 2017
Grok The correct syntax to match against multiple patterns Logstash	1	28	August 31, 2024
Writing multiple grok filters Logstash	5	526	April 9, 2020
How to handle multiple match in logstash filter Logstash	6	9970	September 8, 2017

Check for more than one text from the grok filtered message?

Related topics