Grok Pattern with If Condtion

Jaideep · February 18, 2019, 7:36am

Hi

I am new to logstash.I am using grok filter based on condition.For example if Network contains in message then do following match and if security contain in message then do some other match.I have written following code

filter {

if "\bNetwork\b"  in [message] {
	grok {

	match => { "message" => "%{DATESTAMP:Netdtstmp} %{INT:NetID}%{SPACE}%{WORD:NetCat}%{GREEDYDATA:NetMsg}"
			}
	}
}
if "\bSecurity\b"  in [message]   
{

	grok {

	match => { "message" => "%{DATESTAMP:Netdtstmp1} %{INT:NetID1}% 
                             {SPACE}%{WORD:NetCat1}%{GREEDYDATA:NetMsg}"
	    }
	}
   
}

}

output {

file { 
	codec => line {
	format =>  "%{[NetID1]},%{[NetID]},%{[NetCat]},%{[NetCat1]}"
	 }
	path => "D:/Monitoring/LogCEP/out/log-out.txt"
	}

 
 
}

But its not working.grok does not read the lines in logfile for any condition.

pjanzen · February 18, 2019, 12:31pm

Without example loglines it is very hard to determine the problem but if I was a betting man I would say the "\bSecurity\b" could pose a problem.

When you do conditional statements and the grok is not processed, it is not grok problem but (in this case) a if statement problem..

Remove the "\b" and try again..

system · March 18, 2019, 12:31pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.