Grok filter multiple match

cactus · October 3, 2019, 9:46pm

Hello,

Can someone point me to a proper way with grok parsing?

I want to parse syslog messages, for this purpose I created 2 syslog pattern within grok:

filter {
  if [type] == 'syslog' {
  	grok {
      match => { 'message' => ['%{TIMESTAMP_ISO8601:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}',
                '%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}'] }
      add_field => [ 'received_from', "%{host}" ]
    }
    syslog_pri { }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss", "ISO8601" ]
      target => [ "@timestamp"]
    }

I need to have 2 patterns because some hosts sends log in ISO8601 format and the rest in traditional(I might b wrong here but I understand it like that).

According to LS documentation - it's correct code for grok:
https://www.elastic.co/guide/en/logstash/current/plugins-filters-grok.html#plugins-filters-grok-match

If you need to match multiple patterns against a single field, the value can be an array of patterns:

filter {
      grok {
        match => {
          "message" => [
            "Duration: %{NUMBER:duration}",
            "Speed: %{NUMBER:speed}"
          ]
        }
      }
    }

Is it possible to parse syslog messages using next construction:

filter {
  if [type] == 'syslog' {
  	grok {
      match => { 'message' => '%{TIMESTAMP_ISO8601:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}' }
      add_field => [ 'received_from', "%{host}" ]
    }
    syslog_pri { }
    date {
      match => [ "syslog_timestamp", "ISO8601" ]
      target => [ "@timestamp"]
    }

filter {
  if [type] == 'syslog' {
  	grok {
      match => { 'message' => '%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}' }
      add_field => [ 'received_from', "%{host}" ]
    }
    syslog_pri { }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
      target => [ "@timestamp"]
    }

Can I use more than 1 pattern within grok filter?
If I will use more than 1 pattern - will it cause delays in log parsing or logs going to parse in wrong way(I will get _grokparsefailure for example)?
What approach is best - first or second and why?
What is the best way to parse logs using more than 1 pattern.

Thank you.

Badger · October 3, 2019, 10:14pm

You can use more than one pattern in a filter. You should read this, which will help you understand why you should anchor your patterns using ^ if they are expected to match the start of a line. There is very little overhead using multiple patterns if you do that.

cactus · October 3, 2019, 10:35pm

Thank you, reading now....
How about constructions above? What of them is more correct - when I used multiple matching or when I used grok filter twice against one type: syslog?

Badger · October 3, 2019, 10:54pm

Personally I would use an array of patterns.

system · October 31, 2019, 10:54pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Multiple match option in grok Logstash	8	15728	May 24, 2017
Filter Multiple Patterns Logstash	4	1009	September 22, 2017
Multile pattren in single Grok Filter Logstash	5	285	August 28, 2018
How many matches, we can have in grok filter - as example below Logstash	5	519	October 12, 2018
Logstash 8.1 multiple patterns Logstash	2	160	December 22, 2023

Grok filter multiple match

Related topics