Logstash conditionals


(Peter) #1

Hello,

I am trying to parse auth.log into the elasticsearch and since different actions have different formats I cannot parse the whole log as one. I was thinking to check if there are certain words in the message part of the log and if there are to parse only those type of messages into multiple different fields. Is that possible? I would appreciate some examples.

Regards,


(Magnus Bäck) #2
if [message] =~ /pattern matching something in your message/ {
  grok {
    ...
  }
}

Note that a grok filter can list multiple expressions that are tried one by one in order. That might be more efficient and easier on the eyes than the example above, depending on what your logs look like and how you want to parse them.


(Peter) #3

Thanks for the information, for some logs which has the same number of fields I am using dissect. Is there. possible to list multiple expressions with dissect just like you have suggested for grok?


(Magnus Bäck) #4

I don't think so, but I've never used dissect.


(system) #5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.