Grokking multiple line formats

StivOstenberg · November 30, 2017, 5:55pm

New to grokking, and trying to modify an AWS ELB log filter to handle AWS ALB logs (one additional field at the beginning, 4 at the end)

if [type] == "{{logstash_elb_access_logs_type}}" {
grok {
match => ["message", "%{TIMESTAMP_ISO8601:log_timestamp} %{NOTSPACE:elb_name} %{IP:elb_client_ip}:%{INT:elb_client_port:int} (?:%{IP:elb_backend_ip}:%{NUMBER:elb_backend_port:int}|-) %{NUMBER:request_processing_time:float} %{NUMBER:backend_processing_time:float} %{NUMBER:response_processing_time:float} (?:%{INT:elb_status_code:int}|-) (?:%{INT:backend_status_code:int}|-) %{INT:elb_received_bytes:int} %{INT:elb_sent_bytes:int} "(?:%{GREEDYDATA:elb_request}|-)" "(?:%{GREEDYDATA:userAgent}|-)" %{NOTSPACE:elb_sslcipher} %{NOTSPACE:elb_sslprotocol}"]
match => ["message", "%{GREEDYDATA:event_name} for ELB: %{NOTSPACE:elb_name} at %{TIMESTAMP_ISO8601:log_timestamp}"]
}

In that statement, I see two "match" lines. Does grok go through each "match" seeking the best fit, so I simply need to add another Match line, or do I need to create a match that can handle either format?

JKhondhu · November 30, 2017, 6:06pm

Hi,
Here is a link on grok basics: https://www.elastic.co/guide/en/logstash/current/plugins-filters-grok.html#_grok_basics

http://grokdebug.herokuapp.com and http://grokconstructor.appspot.com/ are useful for helping building patterns to match your logs.

This is what the match param is: https://www.elastic.co/guide/en/logstash/current/plugins-filters-grok.html#plugins-filters-grok-match

Grok does go through each match. You will want to create, add a match that catches what you require from your logs.

StivOstenberg · November 30, 2017, 7:08pm

Thank you. Been all through the Grok Basics, and had built some grokkers through the GrokConstructor, just could not find any examples or explanations about how multiple Grok lines were handled. You answered that, and I am good to go.

JKhondhu · November 30, 2017, 8:25pm

Good to hear. Here is note of break on match which, the first successful match by grok will result in the filter being finished: https://www.elastic.co/guide/en/logstash/current/plugins-filters-grok.html#plugins-filters-grok-break_on_match

system · December 28, 2017, 8:25pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Need help with the Grok filter Logstash	2	344	December 13, 2019
Elb logs grok inside grok Logstash	6	1297	May 29, 2017
Logstash, nested json and AWS ELB logs Logstash	3	1100	July 6, 2017
Want to match against single grok pattern and multiple patterns in same filter Logstash	1	257	September 23, 2020
Grok filter multiple match Logstash	4	18219	October 31, 2019

Grokking multiple line formats

Related topics