If condition in logstash filter

ashok9177 · November 19, 2018, 1:45pm

I have written if the condition for grok filter

filter {
if "id4444" in [fields][component] {
  grok {
    match => { "message" => "%{TIMESTAMP_ISO8601:timestamp} (\[%{WORD:loglevel}\]) %{DATA} - %{DATA:method} processing time for transactionId : %{S3_REQUEST_LINE:transactionid} documentType : %{WORD:document type} is %{INT:duration:int}" }

  match => { "message" => "%{TIMESTAMP_ISO8601:timestamp} (\[%{WORD:loglevel}\]) %{DATA} - %{DATA:method} processing time for transactionId : %{S3_REQUEST_LINE:transactionid} documentType : %{WORD:document type} merchant : %{HOSTNAME:merchant} is %{INT:duration:int}" }


 match => { "message" => "%{TIMESTAMP_ISO8601:timestamp} \[%{WORD:loglevel}\] %{GREEDYDATA}" }
  }
}
else if "idt.512" or "idt.256"  in [fields][component] {
 grok {

    match => [ "message", "%{TIMESTAMP_ISO8601:timestamp} %{NUMBER} (\[%{WORD:loglevel}\])" ]
}
}
else if "id2fa"  in [fields][component] {
 grok {

    match => [ "message", "%{TIMESTAMP_ISO8601:timestamp} %{NUMBER} (\[%{WORD:loglevel}\])" ]
}
}

grok {

    match => [ "message", "%{TIMESTAMP_ISO8601:timestamp} %{WORD:loglevel}" ]
}

if condition is working but again all fields applying the last filter also, how exclude las grok filter to above fields ?

system · December 17, 2018, 1:45pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.