How can I check loglevel with use of If else condition in logstash filter?

filter{
# 1. for LogLevel.Error logs
grok{
match=> ["message","%{DATESTAMP:timestamp} %{LOGLEVEL:level} %{USERNAME:logger}
%{USER:user} %{URI:url} %{USER:method} %{IPV4:clientIp} %{GREEDYDATA:message}"]
}
# 2. for other Level logs except Error
grok{
match=> ["message","%{DATESTAMP:timestamp} %{LOGLEVEL:level} %{USERNAME:logger}
%{USER:user} %{GREEDYDATA:message}"]
}
}

Here are two grok patterns i want to use both.
but whether loglevel is Error and Fatal I need to use number 1 grok pattern.
and the others levels like Warn Debug Trace Info I need the number 2 grok pattern.
How can I do that?

Two options I can think of

One is parse out the level before parsing the rest of the line

grok { match=> [ "message","^%{DATESTAMP:timestamp} %{LOGLEVEL:level} %{GREEDYDATA:restOfLine}" ] }
if [level] in [ "Error", "Fatal" ] {
    grok { match=> ["restOfLine", "^%{USERNAME:logger} %{USER:user} %{GREEDYDATA:message}" ] }
} else {
    grok { match=> ["restOfLine", "^%{USERNAME:logger} %{USER:user} %{URI:url} %{USER:method} %{IPV4:clientIp} %{GREEDYDATA:message}"] }
}

The other is to try both patterns, the more specific one first, and see which one works:

grok {
    match=> {
        "message" => [
            "%{DATESTAMP:timestamp} %{LOGLEVEL:level} %{USERNAME:logger} %{USER:user} %{URI:url} %{USER:method} %{IPV4:clientIp} % GREEDYDATA:message}",
            "%{DATESTAMP:timestamp} %{LOGLEVEL:level} %{USERNAME:logger} %{USER:user} %{GREEDYDATA:message}"
        ]
    }
}

the first one you suggested it works
Thanks you !

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.