Conditional check grok and mutate a grok field

Hi, I need to check if the first column of data "os" contains the string "lnx" or "win",

if contains the string "lnx" in the first column do this grok:
grok { match => { "message" => "%{DATA:os}%{NUMBER:virt_mem_used}"} }

if contains the string "win" in the first column do this grok:
grok { match => { "message" => "%{DATA:os}%{NUMBER:swap_space_used}"} }

Is this posible?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.