Does Dissect's mapping able to match multiple pattern?

Muhammad_Ariful_Isla · February 20, 2020, 7:40pm

As my log have multiple pattern I need to use multiple dissect pattern so that if one pattern fails to recognize the log other can capture. Following pseudo configuration works,

"message" => "pattern1"

Or

"message" => "pattern2"

But following configuration is not working,

"message" => ["pattern1", "pattern2"]

Does dissect support these kinds of match?

I saw something like this on @Christian_Dahlqvist’s answer on the following link,

Especially in the following part,

dissect {
 break_on_match => true
 mapping => {
   "message" => [
     "%{ts->} %{+ts} %{+ts} %{host} %{command}(pam_unix)[%{pid}]: %{action} %{+action} for user %{user} by (uid=%{uid})%{}",
     "%{ts->} %{+ts} %{+ts} %{host} %{command}(pam_unix)[%{pid}]: %{action} %{+action} for user %{user}",
     "%{ts->} %{+ts} %{+ts} %{host} %{command}(pam_unix)[%{pid}]: %{action} %{+action}; %{params}"
 }
}

Badger · February 21, 2020, 3:15pm

No, it does not. The issue you linked to is a suggestion for a possible modification to the design of the filter, it has not been implemented.

system · March 20, 2020, 3:29pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.