How to use two grok statements for log files

Elastic Stack Logstash
1

I want to use two grok statements for my log files. I have two different structures of logs in my folder. How would I do this if I want to match some log files to one of the groks and the rest to the other. These are the two grok statements.

filter
{
if [path] =~ "access" {
mutate { replace => { type => "apache_access" } }
}
grok
{
match => {'message'=>'%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:severity} [%{DATA:thread}] %{NOTSPACE:browserinfo} (%{GREEDYDATA:program}) %{GREEDYDATA:message}}'}
}
}

grok
{
match => {'message'=>'{TIMESTAMP_ISO8601:time} %{LOGLEVEL:severity} %{GREEDYDATA:some_data}}'}
}
}

2

If you look in the documentation you can see an example of how to specify multiple grok expressions. You put the most specific first and if that does not match it evaluates the next one etc.

You should however try to never have more than one DATA or GREEDYDATA pattern in a single expression as it is slow nad can be error prone. Always try to specify as specific patterns as possible.

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.