Is it possible to use Grok Expression with in If condition
i.e.
filter
{
if ([message] = /^%{TIMESTAMP_ISO8601}) (i.e. if line starts with ISO8601 Timestamp it needs to execute different condition)
{
grok (some condition)
}
else if ([message] = /^%{CATALINA_DATESTAMP}) (i.e. if line starts with CATALINA data time format, it needs to execute different condition)
{
grok(some condition)
}
I tried this condition, however I am not getting expected result at the same time I am not getting any error.
Is it possible to use Grok Expression with in If condition
No, it is not.
I tried this condition, however I am not getting expected result at the same time I am not getting any error.
Why would you get an error? The string is still a valid regular expression, it's just that it doesn't match like you expect it to.
(But if grok patterns in regexp match expressions did work, the fact that you're escaping the percent sign at the beginning of the string probably would've prevented it from working.)
Is this the right approach? i get different types of logs and I am using the same configuration file, whenever it sees a line starting with any of the above condition provided then it needs to create the variables accordingly. Based on the variables I am planning to write conditions.
Yes, this looks reasonable. I'm assuming your multiline pattern actually contains \| and not just |. Always post your configuration formatted as code to avoid this kind of time-wasting ambiguity.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.