Logstash 8.1 multiple patterns

Dokh_Ahmed · November 24, 2023, 4:26pm

According to the doc of logstash
" ```
filter {
grok {
match => [ "message", "PATTERN1", "PATTERN2" ]
}
}



I wrote my filter as : 
filter {
  grok {
    match => {
      "message" => [
        "%{TIMESTAMP_ISO8601:timestamp} \|  %{LOGLEVEL:log_level} \| \[%{DATA:thread}\] ---  %{NUMBER:process_id} \| %{DATA:class} \| \| %{GREEDYDATA:message}(\\r|\\n)?",
        "%{TIMESTAMP_ISO8601:timestamp} \|  %{LOGLEVEL:log_level} \| \[%{DATA:thread}\] ---  %{NUMBER:process_id} \| %{DATA:class} \| \|     Started %{DATA:SEND_AGENT_REF_TO_S3} \(direct:\/\/agentRefFromSiCas2-3\)"
      ]
    }
  }
}

Logstash seems to start fine with both configurations and report no errors, but the grok parsing isn't working properly with multiple grok patterns yet.

Rios · November 24, 2023, 4:33pm

Welcome to the community. Multipattern is working fine.
grok {
break_on_match => true
match => { "message" => [ "patter1", "pattern2"] }
}
Which an issue do you have?
Have you tested both grok, independently?
Can you show us a sample of data?

system · December 22, 2023, 4:36pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.