Am i doing something wrong here ?
Logs with tag dcsaghosts are the ones only processed by the filter and ignoring the logs with tag pcwsaghosts
filter {
if "dcsaghosts" in [tags] or "pcwsaghosts" in [tags] {
if "dc-itpag-idm" in [tags] or "pcw-itpag-idm" in [tags] {
grok {
match => { "message" => "- %{IPV4:clientip} - - [%{HTTPDATE:requesttimestamp}] %{WORD:httpmethod} / %{NUMBER:responsecode:int} %{NUMBER:responsesize:int} - - - %{NUMBER:responsetimems:int}" }
}
}
else if "dc-sspag-idm" in [tags] or "pcw-sspag-idm" in [tags] {
grok {
match => { "message" => "%{IPV4:clientip} - - [%{HTTPDATE:requesttimestamp}] "%{WORD:httpmethod} /" %{NUMBER:responsecode:int} %{NUMBER:responsesize:int} "-" "-" "-" "%{NUMBER:responsetimems:float}""}
}
}
}
date {
locale => "en"
timezone => "America/New_York"
match => [ "requesttimestamp","dd/MMM/yyyy:HH:mm:ss Z" ]
}
}