Grok Filter not Matching multiple filters

mussa572 · June 24, 2017, 5:28pm

Dear Team

I have following grok filter which matches 2 different fields from CSV file . However I have noticed that Logstash ignores the second line ( excuses) when sending the traffic to Elasticsearch . In case where the IP is not present in the CSV then the second filter works . As a work around I have created two separate grok filters and every thing works as expected .

I was wondering if there any issue with my filter sentence where both filters not working on one grok filter or it is a expected behaviour ?

grok {

match => ["ip:port", "%?/%{IP:src_ip}?:%{NUMBER:src_port}"],

match => ["excuses", "%{WORD:excuses_type_letter}=%{NUMBER:excuses_type_value}"]

}

Work Around

grok {

match => ["ip:port", "%?/%{IP:src_ip}?:%{NUMBER:src_port}"]

}

grok {
match => ["excuses", "%{WORD:excuses_type_letter}=%{NUMBER:excuses_type_value}"
]

}

Christian_Dahlqvist · June 25, 2017, 6:52am

If you want all listed expressions to always be evaluated for a grok filter, you must set break_on_match to false. By default this is set to true, which means that evaluation of grok patterns will stop after the first match.

mussa572 · June 26, 2017, 11:35am

Thanks Christian

system · July 24, 2017, 11:35am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.