Hello,
Can someone point me to a proper way with grok parsing?
I want to parse syslog messages, for this purpose I created 2 syslog pattern within grok:
filter {
if [type] == 'syslog' {
grok {
match => { 'message' => ['%{TIMESTAMP_ISO8601:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}',
'%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}'] }
add_field => [ 'received_from', "%{host}" ]
}
syslog_pri { }
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss", "ISO8601" ]
target => [ "@timestamp"]
}
I need to have 2 patterns because some hosts sends log in ISO8601 format and the rest in traditional(I might b wrong here but I understand it like that).
According to LS documentation - it's correct code for grok:
https://www.elastic.co/guide/en/logstash/current/plugins-filters-grok.html#plugins-filters-grok-match
If you need to match multiple patterns against a single field, the value can be an array of patterns:
filter {
grok {
match => {
"message" => [
"Duration: %{NUMBER:duration}",
"Speed: %{NUMBER:speed}"
]
}
}
}
Is it possible to parse syslog messages using next construction:
filter {
if [type] == 'syslog' {
grok {
match => { 'message' => '%{TIMESTAMP_ISO8601:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}' }
add_field => [ 'received_from', "%{host}" ]
}
syslog_pri { }
date {
match => [ "syslog_timestamp", "ISO8601" ]
target => [ "@timestamp"]
}
filter {
if [type] == 'syslog' {
grok {
match => { 'message' => '%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}' }
add_field => [ 'received_from', "%{host}" ]
}
syslog_pri { }
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
target => [ "@timestamp"]
}
- Can I use more than 1 pattern within grok filter?
- If I will use more than 1 pattern - will it cause delays in log parsing or logs going to parse in wrong way(I will get _grokparsefailure for example)?
- What approach is best - first or second and why?
- What is the best way to parse logs using more than 1 pattern.
Thank you.