How to try many grok matches, and take only the one that works?

Hi everyone!
I have 10 types of logs I need to process. They differ from each other but have some similarities, so I built a grok filter that matches each one, and non of the other types. How do I write it into the .conf logstash file so that the filter will analyze the log with the right grok match?
Plus, How to I turn the grok categories into aggregatable fields in kibana?

What I'm looking for is something like this:

filter{
    grok{
        match => {"messade" => grokPattern}
    }
if no match:
    grok{
        match => {"messade" => anotherGrokPattern}
    }
...
}

Any tips?
Thanks!

I have 10 types of logs I need to process. They differ from each other but have some similarities, so I built a grok filter that matches each one, and non of the other types. How do I write it into the .conf logstash file so that the filter will analyze the log with the right grok match?

You can list multiple grok expressions in the same grok filter. See example at Grok filter plugin | Logstash Reference [8.11] | Elastic.

Plus, How to I turn the grok categories into aggregatable fields in kibana?

What's a "grok category"?

Thanks for the reply!

A: if I match multiple grok expression does it add "grok parse failure" tag when it's tryting to match grok pattern that dosen't match?

B: "grok pattern" is, for example, if I have grok pattern like: {INT:accuontNum} I want to aggregate in kibana by this.

if I match multiple grok expression does it add "grok parse failure" tag when it's tryting to match grok pattern that dosen't match?

The _grokparsefailure tag will be added if none of the expressions match.

"grok pattern" is, for example, if I have grok pattern like: {INT:accuontNum} I want to aggregate in kibana by this.

You want to aggregate on the accountNum field? That's possible by default; you don't have to do anything special.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.