Actually, I was wrong. This hasn't resolved the issue!
Both filters work when they are on the only one in the conf file but everything is still being run through the first filter and I am getting _grokparsefailure on everything that should be going to the second filter.
filter{
### GROK Statement to catch Application Traffic from the F5 ###
if [type] == "syslog" and "Application_HTTPS" in [message] {
grok {
match => { "message" => "%{URIHOST:client_ip} %{SYSLOG5424SD:timestamp} %{IP:virtual_ip} %{URIPATHPARAM:virtual_name} %{URIPATHPARAM:virtual_pool_name} %{IP:server} %{NUMBER:server_port} %{DATA:junk} %{DATA:junk2} %{NUMBER:packet_size:bytes:int} %{NUMBER:response_ms:ms:int} %{DATA:junk3} %{DATA:junk4}"}}
translate {
regex => true
dictionary_path => "/etc/logstash/jsontranslate.yml"
field => "message"
}
json {
source => "translation"
}
} else {
grok {
match => { "message" => "%{IP:clientip} \[%{HTTPDATE:timestamp}\] %{IP:virtual_ip} %{DATA:virtual_name} %{DATA:virtual_pool_name} %{DATA:server} %{NUMBER:server_port} \"{DATA:path}\" \"(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})\" %{NUMBER:response:int} %{NUMBER:bytes:int} %{NUMBER:response_ms:int} %{QS:referrer} %{QS:agent}"}}
translate {
regex => true
dictionary_path => "/etc/logstash/jsontranslate.yml"
field => "message"
}
json {
source => "translation"
}
}
}