Matching conditions not working

hansis100 · March 22, 2018, 7:40am

Hello!

I have a logfile that I want to parse with grok

<result>;<short message>;<long message>;<scriptname>;<performance>
    <result>:        [OK|WARNING|ERRROR]
    <short message>  short Info
    <long message>: Error-Message
    <scriptname>:    name of script
    <performance>:   Services: <number>, Service without Server: <number>, DNS-Problems: <number>, Servers: <number>

It is possible to get two different logmessages. for example

Log with Performancedata:
WARNING: some errores;some servers with dns-problems;get_Services.ps1;Services: 1, Service without Server: 2, DNS-Problems: 3, Servers: 4
Log without Performancedata:
OK: All Fine;No Problems;get_Services.ps1

Here is my pattern:

if [type] == "syslog" and [host_group] == "services" and [message] =~ /.*:.*;.*;get_Services.ps1;Services:.*,.*Service without Server:.*,.*DNS-Problems:.*,.*Servers:.*/ {
        grok {
            patterns_dir => "/var/lib/neteye/logstash/etc/pattern.d"
            match => [ "message", '%{DATA:cmdb_result}: %{DATA:cmdb_shortmessage};%{DATA:cmdb_errormessage};%{GREEDYDATA:cmdb_scriptname};Services: %{INT:cmdb_services}, Service without Server: %{INT:cmdb_servicewithoutserver}, DNS-Problems: %{INT:cmdb_dnsproblems}, Servers: %{INT:cmdb_servers}' ]
            add_tag => "cmdb_Services_withPerformance"
            remove_tag => "_grokparsefailure"
            break_on_match => true
        }
    }

   if [type] == "syslog" and [host_group] == "services" and [message] =~ /.*:.*;.*;get_Services.ps1$/ {

      grok {
          patterns_dir => "/var/lib/neteye/logstash/etc/pattern.d"
          match => [ "message", '%{DATA:cmdb_result}: %{DATA:cmdb_shortmessage};%{DATA:cmdb_errormessage};%{GREEDYDATA:cmdb_scriptname}.*' ]
          add_tag => "cmdb_Services"
          remove_tag => "_grokparsefailure"
          break_on_match => false
        }
    }

I have the problem, if a log with performance data is reading both conditions are true! How do I have to change the second conditions, that only a logfile without performancedata is matched?
only string like this
OK: All Fine;No Problems;get_Services.ps1
should be machted with this condition
if [type] == "syslog" and [host_group] == "services" and [message] =~ /.*:.*;.*;get_Services.ps1$/

rg
Hansi

system · April 19, 2018, 7:40am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Matching two different patterns in one config Logstash	5	6968	July 6, 2017
Logstash - Multiple grok pattern not working together Logstash	4	818	June 18, 2019
Multiple pattern matching log file Logstash	3	1060	July 6, 2017
Filter problems Logstash	8	652	July 6, 2017
Multiple match option in grok Logstash	8	15731	May 24, 2017

Matching conditions not working

Related topics