Logstash Dissect Filter - Multiple Delimiters?

boss · November 6, 2018, 9:38pm

Hi all, what is the the best way to support multiple delimiters with the Logstash Dissect Filter?

As an example, suppose one file has logs set up as follows:
2018-11-06_05:30:21 Log message1
And another file has logs set up as such:
2018-11-06-05:30:21 Log message 2
Note the different delimiter between the date and time.

I want to use the same filter for both log files. What is the preferred way to handle this?
I haven't had any luck with the following Logstash filter:

filter {
   dissect { 
      mapping => { 
         "message" => "%{year}-%{month}-%{day}{_,-}%{hour}:%{min}:%{sec} %{msg}"
      }
   }
}

The {_,-} (a common glob pattern) breaks my parsing. Is there any support for this? Or would I just be better off with two separate filters?

Thanks in advance!

Matt

system · December 4, 2018, 9:38pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Advise for logstash filter Logstash	10	388	May 18, 2018
Help using logstash dissect filtering Logstash	3	325	June 18, 2019
Filter dissect: mapping on double quotes Logstash	3	2671	January 26, 2017
Dissect filter - Empty data between delimiter: unexpected behavior Logstash	1	232	April 8, 2020
Using grok filter to parse log file Logstash	4	417	May 2, 2021

Logstash Dissect Filter - Multiple Delimiters?

Related topics