Grok loglevel catches 'er'

the grok lovel pattern catches 'er' (for example if the word 'number' is in the message)' is there a way to fix that

You mean catches "er"? And you're talking about the LOGLEVEL pattern, below? Well, don't use the pattern if it doesn't suit you. However, I don't see why it would pick up the "er" in "number" unless you have a very weird grok expression that probably can be improved to avoid the problem altogether. If you give us more details it'll be possible to help.

Thanks for the typo fix,
at any rate my grok is straight forward I think:

grok {
 patterns_dir => ["./patterns"]
 break_on_match => false
 match => { "message" => "%{LOGLEVEL:LogLevel}"  }
 match => { "message" => "%{TIME:orig_time_stamp}" }
 match => { "message" => "%{BRACKETS:Header}" }
 match => { "message" => "%{STACK_TRACE:ST}" }

and I think the problem is regex origin since the loglevel regex seems to catch 'er'

That use of grok is ill-advised. Use a single grok expression to make the message in one swoop, e.g. like this (depending on what your log messages look like, obviously):

grok {
  match => {
    "message" => "^%{TIME:orig_time_stamp} %{LOGLEVEL:LogLevel} %{BRACKETS:Header} %{STACK_TRACE:ST}"
  patterns_dir => ["./patterns"]

The way you've written it you'll look for LOGLEVEL, TIME, and so on anywhere in the message so it's quite possible to get mismatches, as you've seen.


I have a couple of patterns coming in together, and I thought of avoiding: 'if groksfailure in tags' and having a full pattern every time, but I'll try that and see what happens.