filter{
# 1. for LogLevel.Error logs
grok{
match=> ["message","%{DATESTAMP:timestamp} %{LOGLEVEL:level} %{USERNAME:logger}
%{USER:user} %{URI:url} %{USER:method} %{IPV4:clientIp} %{GREEDYDATA:message}"]
}
# 2. for other Level logs except Error
grok{
match=> ["message","%{DATESTAMP:timestamp} %{LOGLEVEL:level} %{USERNAME:logger}
%{USER:user} %{GREEDYDATA:message}"]
}
}
Here are two grok patterns i want to use both.
but whether loglevel is Error and Fatal I need to use number 1 grok pattern.
and the others levels like Warn Debug Trace Info I need the number 2 grok pattern.
How can I do that?
Badger
October 2, 2020, 9:24pm
2
Two options I can think of
One is parse out the level before parsing the rest of the line
grok { match=> [ "message","^%{DATESTAMP:timestamp} %{LOGLEVEL:level} %{GREEDYDATA:restOfLine}" ] }
if [level] in [ "Error", "Fatal" ] {
grok { match=> ["restOfLine", "^%{USERNAME:logger} %{USER:user} %{GREEDYDATA:message}" ] }
} else {
grok { match=> ["restOfLine", "^%{USERNAME:logger} %{USER:user} %{URI:url} %{USER:method} %{IPV4:clientIp} %{GREEDYDATA:message}"] }
}
The other is to try both patterns, the more specific one first, and see which one works:
grok {
match=> {
"message" => [
"%{DATESTAMP:timestamp} %{LOGLEVEL:level} %{USERNAME:logger} %{USER:user} %{URI:url} %{USER:method} %{IPV4:clientIp} % GREEDYDATA:message}",
"%{DATESTAMP:timestamp} %{LOGLEVEL:level} %{USERNAME:logger} %{USER:user} %{GREEDYDATA:message}"
]
}
}
the first one you suggested it works
Thanks you !
system
(system)
Closed
October 31, 2020, 7:34am
4
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.