How to find if grok pattern is matched ot not?

RameshNagargoje · April 18, 2018, 6:38am

Hi, I want to find if grok pattern is matched or not.
If pattern is matched then add one new field in given json else ignore to output it .

here is my input json

{
"type": "dmesg",
"hostName": "ramesh-nagargoje",
"os": "windo",
"bseid": 1234,
"logs": "[ 0.000000] Initializing cgroup subsys cpuset\n[ 0.000000] Initializing cgroup subsys cpu\n[ 0.000000] Initializing cgroup subsys cpuacct\n[ 0.000000] Linux version 3.13.0-144-generic (buildd@lgw01-amd64-059)"
}

Here is my filter

filter
{
if [type] == 'dmesg'
{

        grok
        {
                 match => { [logs] => "Initializing cgroup subsys" }
               add_field  => {"tag"=>"tagname1"}
        }

        grok
        {
                 match => { [logs] => "Linux version" }
               add_field  => {"tag"=>"tagname2"}
        }

}

}

magnusbaeck · April 18, 2018, 6:41am

When you use add_field like this it'll only trigger when the filter is successful, i.e. the grok filter (in this case) has matched.

If the grok filter fails it'll additionally tag the event with _grokparsefailure (unless configured otherwise with the tag_on_failure option).

RameshNagargoje · April 18, 2018, 6:55am

thanks @magnusbaeck it worked. But I don’t want to send output to ES if grok is not matched.

magnusbaeck · April 18, 2018, 8:37am

Then you can use a conditional to either wrap a drop filter or your elasticsearch output.

RameshNagargoje · April 18, 2018, 10:18am

thanks @magnusbaeck it helped a lot.

if "_grokparsefailure" in [tags]
{
drop { }
}

system · May 16, 2018, 10:18am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.