I am trying to parse auth.log into the elasticsearch and since different actions have different formats I cannot parse the whole log as one. I was thinking to check if there are certain words in the message part of the log and if there are to parse only those type of messages into multiple different fields. Is that possible? I would appreciate some examples.
if [message] =~ /pattern matching something in your message/ {
grok {
...
}
}
Note that a grok filter can list multiple expressions that are tried one by one in order. That might be more efficient and easier on the eyes than the example above, depending on what your logs look like and how you want to parse them.
Thanks for the information, for some logs which has the same number of fields I am using dissect. Is there. possible to list multiple expressions with dissect just like you have suggested for grok?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.