Grok Placement


(Jack ELK West) #1

I am wondering about processing. Is there any benefit to putting a GROK pattern in the input rather than creating nested conditional statements in the filter?


(Magnus Bäck) #2

"Grok pattern in the input", what does that mean? Could you give example of the two cases you want to compare?


(Jack ELK West) #3

This is a very rough example of what i'm considering. This way in the filter below I wouldnt have to grok just to add a field to a single input with multiple log types coming in

input {udp { port => "514"
    grok{ 
        match => {"message" => "<%{BASE10NUM:LCE_log_num}>%{SYSLOGTIMESTAMP:LCE_time} %{NOTSPACE}: %{NOTSPACE} %{IP:Source_IP}:%{BASE10NUM:Source_Port} -> %{IP:Destination_IP}:%{BASE10NUM:Destination_Port} ::" }
		add_field => { "sort_num" => "%{LCE_log_num}" }
	}


 filter {
    if [sort_num] == "36"
        grok{
            match => {"message" => "%{PROG:Log_Type},%{DATE_US:Event_Date},%{TIME:Event_Time} %{WORD},%{PROG:Log},%{BASE10NUM},%{WORD:Error_id},%{PROG},%{WORD},%{PROG},%{HOST},IP:%{IP},%{BASE10NUM}}"
}

mutate{
}

output{
}

(Jack ELK West) #4

Can I use grok in the input section?


(Magnus Bäck) #5

No, grok is a filter that can only be placed in the filter section.

A typical solution to your problem is to segregate different kinds of messages by the type field and/or via tags and put conditionals on those fields/tags around the filters.


(system) #6