That's a reasonable way for it to match. The .* in ' app_name ' consumes everything and all parts of ' logdate ' are optional, so an empty string matches. In a grok filter you can match against an array of patterns, one of which has an optional .log and the other has an optional date.
1 Like