How to map multiple patterns using dissect

Elastic Stack Logstash
1

Hi all, do we have any option to map more than 1 mapping of raw event as we do with grok like grok {match => {"fieldname" => ["pattern1", "pattern2", "patternN" ...]}}

Below code gets failed if I see any different pattern in my raw logs. I want to create more than 1 mapping. Please help me

 dissect {
            mapping => {
              "message" => "%{winlog_header}

%{winlog_subject}

%{winlog_logon}

%{winlog_impersonation}

%{winlog_newlogon}

%{winlog_process}"}
           tag_on_failure => ["event_code_4624_dissect_failed"]
           }#end_dissect
2

Sir,

In above, I'm dissecting the content of message fields like if \n\n comes then create it a fields before and after \n\n. So I'm creating 6 fields but now I'm seeing only 3 delimiters \n\n fields in my raw logs. I want that message should also consider the second match like if first mapping gets failed then it should consider the second mapping. Do we have any option using dissect or can you suggest any other option that could resolve this issue. Thank you in advance.

3

Hi Community,

I'll be grateful if some could please reply to me on this. I know I have an option like

if "event_code_4624_dissect_failed" in [tags] {
dissect {
this_pattern
}
...
}
but I don't want to use this. I want to hear about any option of multiple dissect pattern match as grok match offers like grok {match => {"field" => ["pattern1", "pattern2", "patternN"]}}

4

There is no such option.

5

So what could the best option to cater this situation.

6

You can make the dissect conditional, which you said you do not want to do, or unconditionally do multiple dissects. Or use grok. I am pretty sure grok can do anything dissect can do.

7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.