Grok multiple pattern and tag_on_failure for each pattern

sagark · October 3, 2018, 5:21am

Hello, I am trying to use multiple grok pattern under single grok, but when any of the pattern matches, it should not add tag_on_failure. Or can I add tag_on_failure for each pattern? Configuration is as below:

grok {
match => { "message" => [ "%{pattern1}", "%{pattern2}" ] tag_on_failure => ["parse-failed"] }

In above case, when logline matches with pattern1 and failed with pattern2 then it add tag_on_failure to it and when logline doesn't match with pattern1 but match with pattern2 then it will not add tag_on_failure.

Please suggest

bardie · October 3, 2018, 1:42pm

Use the following

  grok {
    break_on_match => true
    tag_on_failure => ["parse-failed"]
    match => [ 'message', '%{PATTERN1}' ]
    match => [ 'message', '%{PATTERN2}' ]
    match => [ 'message', '%{PATTERN3}' ]
}

sagark · October 4, 2018, 5:00am

Thanks for the reply and help Bardie. Can you tell me one more thing that why do we need to write "break_on_match => true" when its the default value ? So is that the case with other options as well ?

Ref: https://www.elastic.co/guide/en/logstash/5.3/plugins-filters-grok.html#plugins-filters-grok-break_on_match

bardie · October 4, 2018, 2:30pm

break_on_match => true is used when you have multiple matches and you want to prevent logstash from trying all the match statements on grok

magnusbaeck · October 5, 2018, 5:17pm

Can you tell me one more thing that why do we need to write "break_on_match => true" when its the default value ?

You don't. break_on_match is the default behavior.

system · November 2, 2018, 5:18pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.