Is it okay to have multiple grok filter files?

calanon · March 18, 2020, 9:51am

I wanted to have a clean structure with my grok filters. For example I have php, nginx and a bunch of other filters for some of my application logs.

Would it therefore be okay to have for example:

11-nginx.conf
13-php.conf
14-applogs.conf

In my present structure I have if statements that state the following:

filter {
  if [log][file][path] == "/var/log/nginx/access.log"{
     grok {
         patterns_dir => ["/etc/logstash/patterns"]
         match => { "message" => "%{NGINX_ACCESS}" }
    }
  }
  else if [log][file][path] == "/var/log/nginx/error.log" {
     grok {
         patterns_dir => ["/etc/logstash/patterns"]
         match => { "message" => "%{NGINX_ERROR}" }
    }
  }
  else {
     grok {
         patterns_dir => ["/etc/logstash/patterns"]

Is it necessary to carry on with this if statement approach if the rules are separated into different conf files?

Badger · March 18, 2020, 3:47pm

If you have filters defined in multiple files and they are running in the same pipeline then they are concetenated into a single filter section by logstash, so yes, the conditionals are required. If you are using multiple pipelines they may or may not be needed.

system · April 15, 2020, 3:47pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.