Hello,
I am trying to parse auth.log into the elasticsearch and since different actions have different formats I cannot parse the whole log as one. I was thinking to check if there are certain words in the message part of the log and if there are to parse only those type of messages into multiple different fields. Is that possible? I would appreciate some examples.
Regards,
if [message] =~ /pattern matching something in your message/ {
grok {
...
}
}
Note that a grok filter can list multiple expressions that are tried one by one in order. That might be more efficient and easier on the eyes than the example above, depending on what your logs look like and how you want to parse them.
Thanks for the information, for some logs which has the same number of fields I am using dissect. Is there. possible to list multiple expressions with dissect just like you have suggested for grok?
I don't think so, but I've never used dissect.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.