Grok filter sequence

Hi, I am using below 3 filters in my test configuration.

grok {
              match => { "message" => "%{TIMESTAMP_ISO8601:eventTime}" }
				 tag_on_failure => [ "_grok_match_fail_1" ] 
		grok {
		match => { "message" => "%{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration}" }
		tag_on_failure => [ "_grok_match_fail_2" ]
	grok {
		patterns_dir => "C:\LIJPRJ\trunk\code\centralized-logging\Deliverables\Logstash\logstash-patterns-core-master\patterns"
		match => { "message" => "%{SYSLOGBASE} %{GREEDYDATA:syslog_message}" }
		tag_on_failure => [ "_grok_match_fail_3" ]

It fails for 1 and 3rd match. I want to know, how to skip 3rd grok filter when it matches with second ?
Does it really makes sense to go inside third and put parseFailure tag when it matches with second filter.

I can remove failure tag, but why does it go inside third match?


You could use a conditional to skip grok filters based on tags, but can't you just bundle two or more grok expressions in the same filter? Then Logstash will try them all in order and bail out if one of them matches.

grok {
  match => {
    "message" => [
      "%{IP:client} %{WORD:method} %{URIPATHPARAM:request} %{NUMBER:bytes} %{NUMBER:duration}",
      "%{SYSLOGBASE} %{GREEDYDATA:syslog_message}"

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.