How to add multiple grok pattern in one filter?

Hi,
My use case is to match one of the regex using multiple grok in one filter.Tried using multiple filter but not matching one of the pattern even though that pattern is present in input.

Here is my filter

filter
{

json
{
source => "message"
target => "message"
}

if[type] == 'dmesg'
{

grok
  {
    match => { logs => "killed by TERM signal" }
  	add_field  => {"tagName"=>"GENERIC_EMERGENCY"}
		  add_field  => {"module" => "null"}
}
	
grok
{
  	match => { logs => "^<1>" }
    add_field  => {"tagName"=>"GENERIC_ALERT"}
		  add_field  => {"module" => "null"}
}

  grok
{
    match => { logs => "^<3>" }
    add_field  => {"tagName"=>"GENERIC_ERROR"}
		  add_field  => {"module" => "null"}
}

grok
{
    match => { logs => "^<4>" }
    add_field  => {"tagName"=>"GENERIC_WARNING"}
		  add_field  => {"module" => "null"}
}

}

if "_grokparsefailure" in [tags]
{
drop { }
}

}

@magnusbaeck please have look

Hi,
This can be easily achieved by using multiple grok patterns. You need to do something like this:

grok
{
  match => { "message" => "killed by TERM signal" }
  add_field  => 
  {
    "tagName"=> "GENERIC_EMERGENCY"  
    "module" => "null"
  }
}

It matches "message" with the pattern. Sorry If I am getting it wrong but what is "logs" in your case? Do you get it in json format as a field?

yes i get logs as input instead of message.

Try using this:

grok
{
  match => [ "message" , "killed by TERM signal" ]
  add_field  => 
  {
    "tagName"=> "GENERIC_EMERGENCY"  
    "module" => "null"
  }
}

What you get as an input is stored in "message". Try to match it with one pattern just to see if it is working fine, and then you can add multiple grok patterns in your file.
Can you share json of your logs simply using this?

output
{
   stdout { codec => rubydebug }
}

thanks @MariumHassan

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.