Matching multiple logs to differnt patterns

cisaksen · June 22, 2017, 3:54pm

I'm using filebeat to send log files from different servers to logstash. Srv1 has an index of nginx, while srv2 has it set to apache.

I have 2 patterns SED_NGINX_COMBINE(custom) and HTTPD_COMBINELOG (builtin).

Not sure how or what is the best way to match these records as they are coming in.

tried :

grok {
patterns_dir => ["/etc/logstash/patterns"]
match => {
"message" => "%{SED_NGINX_COMBINE}"
"message" => "%{HTTPD_COMBINELOG}"
}

but it didn't like this.

Just not sure how to go about this or should I create a second xxx.conf file for the different log files with a different index for Elasticsearch.

magnusbaeck · June 22, 2017, 6:59pm

The grok filter documentation contains an example of how to use multiple grok expressions in the same filter.

cisaksen · June 22, 2017, 7:27pm

Thanks that was incredibility unhelpful !

magnusbaeck · June 26, 2017, 9:06pm

Seriously, why wasn't that helpful? You're having syntax issues getting multiple grok expressions working in a single filter and I pointed you to where you could find examples of just that.

system · July 24, 2017, 9:07pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Grok filter with multiple regex not working Logstash	9	976	June 6, 2018
Multiple patterns for log file Logstash	2	1602	July 6, 2017
Grok performance Logstash	5	1307	January 18, 2018
Pattern Matching Logstash	8	1152	April 5, 2017
Grok filter pattern for nginx Logstash	9	6596	October 4, 2018

Matching multiple logs to differnt patterns

Related topics