Grok filter not working with if condition

ashok9177 · November 20, 2018, 6:21am

> filter {
> if "id4444" in [fields][component] {
>   grok {
>     match => { "message" => "%{TIMESTAMP_ISO8601:timestamp} (\[%{WORD:loglevel}\]) %{DATA} - %{DATA:method} processing time for transactionId : %{S3_REQUEST_LINE:transactionid} documentType : %{WORD:document type} is %{INT:duration:int}" }
> 
>   match => { "message" => "%{TIMESTAMP_ISO8601:timestamp} (\[%{WORD:loglevel}\]) %{DATA} - %{DATA:method} processing time for transactionId : %{S3_REQUEST_LINE:transactionid} documentType : %{WORD:document type} merchant : %{HOSTNAME:merchant} is %{INT:duration:int}" }
> 
> 
>  match => { "message" => "%{TIMESTAMP_ISO8601:timestamp} \[%{WORD:loglevel}\] %{GREEDYDATA}" }
>   }
> }
> else if "idt.512" or "idt.256"  in [fields][component] {
>  grok {
> 
>     match => [ "message", "%{TIMESTAMP_ISO8601:timestamp} %{NUMBER} (\[%{WORD:loglevel}\])" ]
> }
> }
> else if "id2fa"  in [fields][component] {
>  grok {
> 
>     match => [ "message", "%{TIMESTAMP_ISO8601:timestamp} %{NUMBER} (\[%{WORD:loglevel}\])" ]
> }
> }
> else if "ida" in [fields][component] {
>  grok {
> 
>     match => [ "message", "%{TIMESTAMP_ISO8601:timestamp} %{WORD:loglevel}" ]
> }
> }

all grok filters are working but last if condtion filter isn't , is there any problem if condition ?

system · December 18, 2018, 6:28am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.