Hellow, so i have a Log file with something like this
--57da9965-A--
[19/Dec/2016:12:43:11 +0000] WFfVasd338AAQEAAffdd9yBYAAAAF XX.XX.XX.XX 29364 XX.XX.XX.XX 80
--57da9965-B--
HEAD / HTTP/1.0
--a5519525-A--
[19/Dec/2016:23:24:04 +0000] WFhsFHxsadAAQEAAasdAW1soYAAAAA XX.XX.XX.XX 42222 XX.XX.XX.XX 80
--a5519525-B--
GET /something.txt HTTP/1.0
Accept: /
Host: XX.XX.XX.XX
User-Agent: Wget(linux)
--28cddb4f-A--
[19/Dec/2016:23:24:06 +0000] WFhsFnas8AAQEAAAW2gWNoAAABK XX.XX.XX.XX 42240 XX.XX.XX.XX 80
--28cddb4f-B--
POST /some.php HTTP/1.0
Accept: /
Host: XX.XX.XX.XX
User-Agent: Wget(some)
Content-Type: application/x-www-form-urlencoded
Content-Length: 666
--28cddb4f-C--
asdkbasdjagjsdhvagsdhvasdhasd
and in the filter i'm grouping them with block limited by --whatever-A-- with the multiline option.
Now what i need is to be able to use different patterns to match different blocks, since some may use similar patterns but others doesn't. And when the first pattern match, just leave the filter, which i suppose will happen naturally.
i've tried with
grok{
match =>[ "message", "pattern1","pattern2","pattern3","pattern4"]
}
grok{
match =>{ "message", "pattern1" }
match => { "message" => "pattern2" }
match => { "message" => "pattern3" }
match => { "message" => "pattern4" }
}
and some other's which i don't remember right now since i've been stuck here for almost 4 hours.
Does anyone know how to solve this issue?
thanks.