How to grok log file with 2 line formats?

med_amine · July 23, 2018, 10:05am

iughikugkgkjk

Badger · July 23, 2018, 12:07pm

You can pass grok an array of patterns and it will try each in turn. Like this...

    grok {
        match => { "message" => [
            '^%{IPORHOST:clientip} - - \[%{HTTPDATE:time_local}\] "%{WORD:action} /%{DATA:application}/%{DATA:ressource}%{WORD}=%{DATA:SAG} %{WORD:protocol}/%{NUMBER:protocol_num}" %{INT:status} %{NUMBER:bytes_sent} %{DATA} "%{DATA:http_user_agent}" %{DATA} %{IP:Address}:%{NUMBER:port_num} %{NUMBER:value1} %{NUMBER:value2} %{NUMBER:value3}',
            '^%{IPORHOST:clientip} - - \[%{HTTPDATE:time_local}\] "%{WORD:action} /%{DATA:application}/%{DATA:ressource}%{WORD}=%{DATA:SAG} %{WORD:protocol}/%{NUMBER:protocol_num}" %{INT:status} %{NUMBER:bytes_sent} %{DATA} "%{DATA:http_user_agent}" %{DATA} %{IP:fe1}:%{NUMBER:port_num1}, %{IP:fe2}:%{NUMBER:port_num2} %{NUMBER:value1}, - %{BASE10NUM:value2}, - %{BASE10NUM:value3}, - %{BASE10NUM:value4}'
            ]
        }

If a line would fit multiple patterns (not the case here) you need to make sure the more specific pattern is earlier in the list.

med_amine · July 23, 2018, 1:12pm

buhjklgbk

med_amine · July 23, 2018, 1:17pm

thank u very much !! it works now !!

system · August 20, 2018, 1:17pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Grok multiple matches issue Logstash	1	452	January 19, 2017
Grok pattern match for multiple lines Logstash docker	3	880	May 14, 2020
Multiple patterns in grok filter Logstash	4	3380	November 16, 2018
Want to match against single grok pattern and multiple patterns in same filter Logstash	1	257	September 23, 2020
How to grok different format record lines in one single log file Logstash	5	1034	July 10, 2020

How to grok log file with 2 line formats?

Related topics