Matching multiple Grok patterns in a single Logstash config file

binky · May 2, 2017, 11:31am

Hi there.

I'm trying to send a couple of files through Filebeat to a ELK stack. The thing is that the log syntax is not the same, so I came up with two different patterns that mach each of them separately.

I've tried different syntaxis for the "filter" part of the Logstash config file, but none of them seem to work, because I always get the _grokparsefailure flag (which, from what I've read, appears if the string does not match any of the patterns).

I've tried the patterns in the Grok Debugger, and they are working, so I guess I'm not specifying them correctly in the config file. Here's the config file with the patterns, and some examples for both.

Edit: I'm sorry, this post was published by mistake, as I didn't have access to all the files at the time, and I can't figure out how to delete it. If some admin/mod can remove it for me, it is perfectly fine.

Nico-DF · May 2, 2017, 11:44am

For your problem, it won't be that complicated to solve (normally)

Have your filter doing the following:

filter{
  if "SUCCESS" not in [tags]{
    grok { 
      match => {...}
      remove_tag => ["_grokparsefailure"]
      add_tag => ["SUCCESS"]
    }
  }

  if "SUCCESS" not in [tags]{
    grok { 
      match => {...}
      remove_tag => ["_grokparsefailure"]
      add_tag => ["SUCCESS"]
    }
  }

and so on
}

Or you can switch with: if "_grokparsefailure" in [tags] ...
and then remove the tag

system · May 30, 2017, 11:53am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.