Elastic Ingest with multiple grok processors

JamesFx · January 3, 2017, 4:06pm

That was my first try.

I am using version 5.1 and it only takes into account the last grok.

"processors": [
    {
      "grok": {
        "field": "message",
        "patterns": [
          "%{STATUS:status};\\s+%{WORD:service};\\s+%{MSG:message}\\|\\s+%{WORD:key01}=%{NUMBER:value01}.*",
          "%{STATUS:status};\\s+%{WORD:service};\\s+%{GREEDYDATA:message}"
        ],
        "pattern_definitions": {
          "STATUS": "\\d+",
          "MSG": ".+?"
        }
      },
      "grok": {
          "field": "source",
          "patterns": [".+?%{TIMESTAMP:timestamp}.+"],
          "pattern_definitions" : {
            "TIMESTAMP" : "[0-9]+"}
        }
      ,
      "date" : {
        "field" : "timestamp",
        "formats" : ["UNIX_MS"]
      },
      "remove": {
        "field": "timestamp"
      }
    }
  ]

Topic		Replies	Views
Ingest - grok - more fields by same processor, domain parsing Elasticsearch	1	519	July 12, 2017
Unexpected result for grok processor with multiple patterns Elasticsearch	1	599	December 23, 2016
Grok processor - Multiple matches of the same pattern Elasticsearch ingest-pipeline	1	227	November 28, 2022
How to use more than 1 pattern in pipelines? Elasticsearch	2	439	February 21, 2017
Multiple Grok Processors in pipeline: "[processors] required property is missing" Elasticsearch	2	1471	July 10, 2020

Elastic Ingest with multiple grok processors

Related topics