Logstash filter file don't work

My_logstash_filter.conf file

filter {
grok {
match => [
"message", "(?[A-Z_A-Z_A-Z]{10,14})",
"message", "(?[A-Z:A-Z:A-Z]{10,14})",
"message", "(?[A-Z]{4})" ]
}
}

These three fields never display at a time for every message. Any one of them show and other two of them are hide.
Status Operator Loglevel
SENT -- --
-- GP --
-- -- INFO

But I need like this:
Status Operator Loglevel
SENT Blink WARN
FAIL GP INFO
ERROR GP INFO

but not show status field.

my all status will be (10~14)characters of these
"GW_IGNORED
GW_IN_PROGRESS
GW_PENDING
GW_UNREACHABLE
TELCO_ERROR
TELCO_SENT"

How can I add status filed in my Logstash filters Grok?
Thanks

My_logstash_filter.conf file

No, that's not what your file look like. The <fieldname> after the question mark is missing. Always post your configuration files as preformatted text by using the </> toolbar button.

These three fields never display at a time for every message. Any one of them show and other two of them are hide.

That's expected. The grok filter stops processing remaining expressions once it gets a match.

Can't you use a single grok expression to catch all fields? What does an example line from the log look like.

filter {
grok {
match => [
"message", "(?<Loglevel>[A-Z]{4})",
"message", "(?<Client>[,A-Za-z]{2,6})",
"message", "(?<Status>[A-Z_A-Z_A-Z]{10,14})",
"message", "(?<Operator>[A-Z:A-Z:A-Z]{10,14})" ]
}
}

but not show all fields. Just always show one only field.
Thanks for helping me sir

If there's anything in my answer you didn't understand just ask for a clarification. Repeating what you've already said isn't useful.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.