Doesn't work when trying to match on "source" and "message" in the same grok

Hamish1 · December 18, 2019, 3:10pm

Good day everyone!

I'm using filebeat and logstash.

Here is the part of logstash filter which is not working as I'm expecting.

if "app_name" in [tags] {

mutate {
    gsub => ["message", "\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]", ""]
  }

  grok {
     match => [
                "source" => "/opt/data/app/logs/%{GREEDYDATA:service_name}/%{GREEDYDATA:log_file_name}",
                "message" => "\[%{GREEDYDATA:severity}\] %{TIMESTAMP_ISO8601:timestamp} - %{GREEDYDATA:message}"
              ]
       overwrite => [ "message" ]
       }

  date {
    match => [ "timestamp", "yyyy-mm-dd HH:mm:ss" ]
    target => "@timestamp"
    timezone => "UTC"
    remove_field => ["timestamp"]
  }
}

As you can see, I'm trying to match and extract values from "source" field and "message" field in the same grok. But works only the first one (in this example - "source").

Is there a way how to achieve that?

Any help will be extremely appreciated!

Transrian · December 19, 2019, 6:24pm

By default, Grok stop after the first match successful, which mean that if first parsing is successful (source), message parsing will not be 'invoqued'.

To allow it to match your multiple fields / formats, you will need to disable the option break_on_match

system · January 16, 2020, 6:24pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
GROK Multiple Match - Logstash Logstash	4	27103	July 6, 2017
Multiple Grok Filters Logstash	5	1452	July 26, 2017
Greedydata does not work Logstash	11	2922	July 6, 2017
Issue with extracting timestamp value from log file Logstash	4	302	April 6, 2019
3 grok filter in same file Logstash	16	1089	September 24, 2018

Doesn't work when trying to match on "source" and "message" in the same grok

Related topics