How to define patterns_dir as global in logstash...?

rahulkothanath · July 3, 2019, 9:14pm

Hi,
I have a pattens file which contains diffrent patterns as line by line. I am matching each pattern as follows.

 if [tran_type_cd] in ["EMD","EMA","EMC","EMF","EMU","EMX"] {  
        	grok {patterns_dir   => ["logstash-7.0.0/schemas/nonrtd/patterns"]
              	  match => { "message" => "%{EMD}" }}}

          else if [tran_type_cd] in ["ISG","IPV"]{
          	grok {patterns_dir   => ["logstash-7.0.0/schemas/nonrtd/patterns"]
                 match => { "message" => "%{ISG}" }}}

          else if [tran_type_cd] in ["IEN","IER","MEN","MER","TEN"]{
                grok {patterns_dir   => ["logstash-7.0.0/schemas/nonrtd/patterns"]
                 match => { "message" => "%{IEN}" }}}

          else if [tran_type_cd] == "IPU"{
                grok {patterns_dir   => ["logstash-7.0.0/schemas/nonrtd/patterns"]
                 match => { "message" => "%{IPU}" }}}

I am loading patterns_dir for each else conditions. How can I define patterns_dir as global and match pattern directly. this could avoid defining patterns_dir for each else if conditions.

thanks for reading and hellping.

AquaX · July 6, 2019, 9:43pm

You can define multiple grok patterns in a single match

grok {
    patterns_dir   => ["logstash-7.0.0/schemas/nonrtd/patterns"]
    match => { "message" => [ "%{EMD}", 
                              "%{ISG}", 
                              "%{IEN}", 
                              "%{IPU}" ]
    }

rahulkothanath · July 7, 2019, 4:29pm

This is useful ,but I also need to check if condition based on variable "trans_type_cd" before matching.

thanks for reading and helping.

AquaX · July 7, 2019, 9:59pm

Why do you need to check for that field before matching? Why not after?

rahulkothanath · July 7, 2019, 10:02pm

if value of transa_type_cd is diffrent ,then I need to match message with diffrent pattern. where should I put the if else if conditions as per your solution ..

thanks for reading and helping

Badger · July 8, 2019, 1:11pm

No, you do not. You can give the grok filter a list of patterns and it will match against whichever one works. Unless they are ambiguous it will do the if-else if-else if for you.

rahulkothanath · July 8, 2019, 6:07pm

That is cool. will check it out.

thanks or reading and helping

system · August 5, 2019, 6:07pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.