How to grok log file with 2 line formats?

med_amine · July 23, 2018, 10:05am

iughikugkgkjk

Badger · July 23, 2018, 12:07pm

You can pass grok an array of patterns and it will try each in turn. Like this...

    grok {
        match => { "message" => [
            '^%{IPORHOST:clientip} - - \[%{HTTPDATE:time_local}\] "%{WORD:action} /%{DATA:application}/%{DATA:ressource}%{WORD}=%{DATA:SAG} %{WORD:protocol}/%{NUMBER:protocol_num}" %{INT:status} %{NUMBER:bytes_sent} %{DATA} "%{DATA:http_user_agent}" %{DATA} %{IP:Address}:%{NUMBER:port_num} %{NUMBER:value1} %{NUMBER:value2} %{NUMBER:value3}',
            '^%{IPORHOST:clientip} - - \[%{HTTPDATE:time_local}\] "%{WORD:action} /%{DATA:application}/%{DATA:ressource}%{WORD}=%{DATA:SAG} %{WORD:protocol}/%{NUMBER:protocol_num}" %{INT:status} %{NUMBER:bytes_sent} %{DATA} "%{DATA:http_user_agent}" %{DATA} %{IP:fe1}:%{NUMBER:port_num1}, %{IP:fe2}:%{NUMBER:port_num2} %{NUMBER:value1}, - %{BASE10NUM:value2}, - %{BASE10NUM:value3}, - %{BASE10NUM:value4}'
            ]
        }

If a line would fit multiple patterns (not the case here) you need to make sure the more specific pattern is earlier in the list.

med_amine · July 23, 2018, 1:12pm

buhjklgbk

med_amine · July 23, 2018, 1:17pm

thank u very much !! it works now !!

system · August 20, 2018, 1:17pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.