Grok filter sequence

sunilmchaudhari · March 24, 2017, 11:48am

Hi, I am using below 3 filters in my test configuration.

grok {
              match => { "message" => "%{TIMESTAMP_ISO8601:eventTime}" }
				 tag_on_failure => [ "_grok_match_fail_1" ] 
       }
		
		grok {
		match => { "message" => "%{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration}" }
		tag_on_failure => [ "_grok_match_fail_2" ]
	}
	
	grok {
		patterns_dir => "C:\LIJPRJ\trunk\code\centralized-logging\Deliverables\Logstash\logstash-patterns-core-master\patterns"
		match => { "message" => "%{SYSLOGBASE} %{GREEDYDATA:syslog_message}" }
		tag_on_failure => [ "_grok_match_fail_3" ]
	}

It fails for 1 and 3rd match. I want to know, how to skip 3rd grok filter when it matches with second ?
Does it really makes sense to go inside third and put parseFailure tag when it matches with second filter.

I can remove failure tag, but why does it go inside third match?

br,
Sunil

magnusbaeck · March 24, 2017, 1:08pm

You could use a conditional to skip grok filters based on tags, but can't you just bundle two or more grok expressions in the same filter? Then Logstash will try them all in order and bail out if one of them matches.

grok {
  match => {
    "message" => [
      "%{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration}",
      "%{SYSLOGBASE} %{GREEDYDATA:syslog_message}"
    ]
  }
}

system · April 21, 2017, 1:08pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Grok filter multiple match Logstash	4	18215	October 31, 2019
Grok multiple matches reports failures in an unexpected way Logstash	5	289	August 6, 2019
Logstash grokparsefailure when multiple IF ELSE in use Logstash	2	472	January 14, 2019
Multiple match option in grok Logstash	8	15730	May 24, 2017
Can I use filter inside filter? Logstash	9	809	March 2, 2019

Grok filter sequence

Related topics