Grok Filter not Matching multiple filters

mussa572 · June 24, 2017, 5:28pm

Dear Team

I have following grok filter which matches 2 different fields from CSV file . However I have noticed that Logstash ignores the second line ( excuses) when sending the traffic to Elasticsearch . In case where the IP is not present in the CSV then the second filter works . As a work around I have created two separate grok filters and every thing works as expected .

I was wondering if there any issue with my filter sentence where both filters not working on one grok filter or it is a expected behaviour ?

grok {

match => ["ip:port", "%?/%{IP:src_ip}?:%{NUMBER:src_port}"],

match => ["excuses", "%{WORD:excuses_type_letter}=%{NUMBER:excuses_type_value}"]

}

Work Around

grok {

match => ["ip:port", "%?/%{IP:src_ip}?:%{NUMBER:src_port}"]

}

grok {
match => ["excuses", "%{WORD:excuses_type_letter}=%{NUMBER:excuses_type_value}"
]

}

Christian_Dahlqvist · June 25, 2017, 6:52am

If you want all listed expressions to always be evaluated for a grok filter, you must set break_on_match to false. By default this is set to true, which means that evaluation of grok patterns will stop after the first match.

mussa572 · June 26, 2017, 11:35am

Thanks Christian

Topic		Replies	Views
Multiple grok filter Logstash	16	24213	October 3, 2017
How to use multiple filters and multiple Grok filters Logstash	5	14621	May 10, 2018
Grok performance Logstash	5	1355	January 18, 2018
Please validate mutiple GROK filter Logstash	4	4007	May 10, 2018
Custom pattern problems in the grok filter Logstash	2	2579	July 6, 2017

Grok Filter not Matching multiple filters

Related topics