Hi,
i have an input that is sending data in two different formats.
format 1
16-Sep-2024 03:21:53.421 INFO [pool-13-thread-18] c.r.s.f.p.PropertyFacadeImpl [PropertyFacadeImpl.java:209] Getting PropertyList for client 48b7ad supplied by AccessService\n
format 2
2024-09-16 03:22:27.050 | timestamp=\"2024-09-16T03:22:27.013Z\", local_host=\"i-0701f40e7b0779e08\", status=\"200\", remote_host=\"10.44.83.183\", client_id=\"a9f7c0\", subject_id=\"NO_SUBJECT_ID\", service_access_id=\"MY_SERVICE_ID\", billing_event_sent=\"true\", execution_time=\"37\", uri=\"/endpoint/v1/property/12073281.json\", queryString=\"returnFields=type%2Clocation%2Cage%2CfeatureList\"\n
ideally i want to be able to extract the fields out of the format 2 pattern (which obviously wont work for pattern 1).
I'm wondering if there is a way to match on a line pattern eg like this:
if [message] ~= "^%{MONTHDAY}-%{MONTH}-%{YEAR} %{TIME} %{LOGLEVEL} \|" {
# match line pattern format 1
grok {
match => { "message" => "^%{MONTHDAY:_monthday}-%{MONTH:_month}-%{YEAR:_year} %{TIME:_time} %{LOGLEVEL:_level} %{GREEDYDATA:message}" }
overwrite => [ "message" ]
}
}
if [message] ~= "^%{TIMESTAMP_ISO8601:_timestamp} \|" {
# match line pattern format 2
grok {
match => { "message" => "%{TIMESTAMP_ISO8601:_timestamp} \| %{GREEDYDATA:message}" }
overwrite => [ "message" ]
}
kv {
source => "message"
target => "format2_fields"
}
}