Log.file.path with grok condition issue with multiple log files

Hi Team,

Am I trying to create the index using log.file.path field in the grok if condition. Actually am I including the multiple file path. so while doing this the index was not creating. but if I include only one, then it's works well.
I attached below my scenarios, can anyone let me know what I missed here..

Multiple logfile include: ( This method not working )

filter {
    if [log][file][path] == "/var/log/apache2/sfsite-access_log","/var/log/apache2/sfapi-access_log" {
      grok {
        match => { "message" => "\[%{HTTPDATE:time_stamp}\] %{HOSTNAME:domain_name} \"%{WORD:method} /%{NOTSPACE:request_page} HTTP/%{NUMBER:http_version}\" %{NUMBER:response_code} (?:%{NUMBER:response_bytes}|-)  %{QS:agent} %{NOTSPACE:page_url} %{QS:agent_type}" }

 }

Single logfile include: ( This method is working )

filter {
    if [log][file][path] == "/var/log/apache2/sfsite-access_log" {
      grok {
        match => { "message" => "\[%{HTTPDATE:time_stamp}\] %{HOSTNAME:domain_name} \"%{WORD:method} /%{NOTSPACE:request_page} HTTP/%{NUMBER:http_version}\" %{NUMBER:response_code} (?:%{NUMBER:response_bytes}|-)  %{QS:agent} %{NOTSPACE:page_url} %{QS:agent_type}" }

 }

NOTE: only changes I made is number of log files include

Kindly advice anyone.

Thanks

This is not the correct way to test multiple values, check the documentation and try to use in.

if [log][file][path] in ["/var/log/apache2/sfsite-access_log","/var/log/apache2/sfapi-access_log"]

@leandrojmp
Thank you. I will modify my configuration.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.