How to find if grok pattern is matched ot not?

Elastic Stack Logstash
1

Hi, I want to find if grok pattern is matched or not.
If pattern is matched then add one new field in given json else ignore to output it .

here is my input json

{
"type": "dmesg",
"hostName": "ramesh-nagargoje",
"os": "windo",
"bseid": 1234,
"logs": "[ 0.000000] Initializing cgroup subsys cpuset\n[ 0.000000] Initializing cgroup subsys cpu\n[ 0.000000] Initializing cgroup subsys cpuacct\n[ 0.000000] Linux version 3.13.0-144-generic (buildd@lgw01-amd64-059)"
}

Here is my filter

filter
{
if [type] == 'dmesg'
{

        grok
        {
                 match => { [logs] => "Initializing cgroup subsys" }
               add_field  => {"tag"=>"tagname1"}
        }

        grok
        {
                 match => { [logs] => "Linux version" }
               add_field  => {"tag"=>"tagname2"}
        }

}

}

2

When you use add_field like this it'll only trigger when the filter is successful, i.e. the grok filter (in this case) has matched.

If the grok filter fails it'll additionally tag the event with _grokparsefailure (unless configured otherwise with the tag_on_failure option).

3

thanks @magnusbaeck it worked. But I don’t want to send output to ES if grok is not matched.

4

Then you can use a conditional to either wrap a drop filter or your elasticsearch output.

5

thanks @magnusbaeck it helped a lot.

if "_grokparsefailure" in [tags]
{
drop { }
}

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.