How to match multiple field,use multiple field or multiple match or multiple grok

Elastic Stack Logstash
1

Logs file to analyze:

GET /login.html?user=hjfeng1988 HTTP/1.1

multiple field

filter {
  grok {
    match => {
      "message" => ["%{WORD:method} %{DATA:request_uri} HTTP/%{NUMBER:http_version}"]
      "request_uri" => ["%{DATA:uri}\?.*"]
    }
  }
}

multiple match

filter {
  grok {
    match => {
      "message" => ["%{WORD:method} %{DATA:request_uri} HTTP/%{NUMBER:http_version}"]
    }
    match => {
      "request_uri" => ["%{DATA:uri}\?.*"]
    }
  }
}

multiple grok

filter {
  grok {
    match => {
      "message" => ["%{WORD:method} %{DATA:request_uri} HTTP/%{NUMBER:http_version}"]
    }
  }
  grok {
    match => {
      "request_uri" => ["%{DATA:uri}\?.*"]
    }
  }
}

I try it only use multiple grok work in my case.

2

As you say, multiple groks will work. Multiple match will never work, because one match overwrites the other in the final configuration of the filter.

You can get multiple field to work by adding 'break_on_match => false'. The default behaviour is for grok to work through the list until one pattern matches and then stop.

3

Thank you very much
Another problem that I try few ways to get both request_uri and uri,But alway fail.
Logs file to analyze:

GET /login.html?user=hjfeng1988 HTTP/1.1
GET /login.html HTTP/1.1

When I use this method,it can't get correct value uri.

filter {
  grok {
    match => {
      "message" => ["%{WORD:method} %{DATA:request_uri} HTTP/%{NUMBER:http_version}"]
      "request_uri" => ["%{DATA:uri}(\?.*)?"]
    }
    break_on_match => false
    remove_field => ["message"]
  }
}

And this method it will replace ? to , for field request_uri

filter {
  grok {
    match => {
      "message" => ["%{WORD:method} %{DATA:request_uri} HTTP/%{NUMBER:http_version}"]
    }
    remove_field => ["message"]
  }
  mutate {
    split => { "request_uri" => "?" }
    add_field => { "uri" => "%{request_uri[0]}" }
  }
}