Matching conditions not working

Elastic Stack Logstash
1

Hello!

I have a logfile that I want to parse with grok

<result>;<short message>;<long message>;<scriptname>;<performance>
    <result>:        [OK|WARNING|ERRROR]
    <short message>  short Info
    <long message>: Error-Message
    <scriptname>:    name of script
    <performance>:   Services: <number>, Service without Server: <number>, DNS-Problems: <number>, Servers: <number>

It is possible to get two different logmessages. for example

Log with Performancedata:
WARNING: some errores;some servers with dns-problems;get_Services.ps1;Services: 1, Service without Server: 2, DNS-Problems: 3, Servers: 4
Log without Performancedata:
OK: All Fine;No Problems;get_Services.ps1

Here is my pattern:

if [type] == "syslog" and [host_group] == "services" and [message] =~ /.*:.*;.*;get_Services.ps1;Services:.*,.*Service without Server:.*,.*DNS-Problems:.*,.*Servers:.*/ {
        grok {
            patterns_dir => "/var/lib/neteye/logstash/etc/pattern.d"
            match => [ "message", '%{DATA:cmdb_result}: %{DATA:cmdb_shortmessage};%{DATA:cmdb_errormessage};%{GREEDYDATA:cmdb_scriptname};Services: %{INT:cmdb_services}, Service without Server: %{INT:cmdb_servicewithoutserver}, DNS-Problems: %{INT:cmdb_dnsproblems}, Servers: %{INT:cmdb_servers}' ]
            add_tag => "cmdb_Services_withPerformance"
            remove_tag => "_grokparsefailure"
            break_on_match => true
        }
    }

   if [type] == "syslog" and [host_group] == "services" and [message] =~ /.*:.*;.*;get_Services.ps1$/ {

      grok {
          patterns_dir => "/var/lib/neteye/logstash/etc/pattern.d"
          match => [ "message", '%{DATA:cmdb_result}: %{DATA:cmdb_shortmessage};%{DATA:cmdb_errormessage};%{GREEDYDATA:cmdb_scriptname}.*' ]
          add_tag => "cmdb_Services"
          remove_tag => "_grokparsefailure"
          break_on_match => false
        }
    }

I have the problem, if a log with performance data is reading both conditions are true! How do I have to change the second conditions, that only a logfile without performancedata is matched?
only string like this
OK: All Fine;No Problems;get_Services.ps1
should be machted with this condition
if [type] == "syslog" and [host_group] == "services" and [message] =~ /.*:.*;.*;get_Services.ps1$/

rg
Hansi

2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.