Does Dissect's mapping able to match multiple pattern?

Muhammad_Ariful_Isla · February 20, 2020, 7:40pm

As my log have multiple pattern I need to use multiple dissect pattern so that if one pattern fails to recognize the log other can capture. Following pseudo configuration works,

"message" => "pattern1"

Or

"message" => "pattern2"

But following configuration is not working,

"message" => ["pattern1", "pattern2"]

Does dissect support these kinds of match?

I saw something like this on @Christian_Dahlqvist’s answer on the following link,

Especially in the following part,

dissect {
 break_on_match => true
 mapping => {
   "message" => [
     "%{ts->} %{+ts} %{+ts} %{host} %{command}(pam_unix)[%{pid}]: %{action} %{+action} for user %{user} by (uid=%{uid})%{}",
     "%{ts->} %{+ts} %{+ts} %{host} %{command}(pam_unix)[%{pid}]: %{action} %{+action} for user %{user}",
     "%{ts->} %{+ts} %{+ts} %{host} %{command}(pam_unix)[%{pid}]: %{action} %{+action}; %{params}"
 }
}

Badger · February 21, 2020, 3:15pm

No, it does not. The issue you linked to is a suggestion for a possible modification to the design of the filter, it has not been implemented.

system · March 20, 2020, 3:29pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to map multiple patterns using dissect Logstash	6	1868	September 27, 2020
Best way to parse multiple message patterns Logstash	8	1019	June 15, 2022
Having multiple parsing (dissect) conditions chained Logstash	3	1041	November 5, 2019
Multiple grok pattern, really multiple? Logstash	2	211	April 28, 2022
Using _dissectfailure for matching multiple lines with dissect Logstash	1	603	September 27, 2021

Does Dissect's mapping able to match multiple pattern?

Related topics