Matching multiple logs to differnt patterns

cisaksen · June 22, 2017, 3:54pm

I'm using filebeat to send log files from different servers to logstash. Srv1 has an index of nginx, while srv2 has it set to apache.

I have 2 patterns SED_NGINX_COMBINE(custom) and HTTPD_COMBINELOG (builtin).

Not sure how or what is the best way to match these records as they are coming in.

tried :

grok {
patterns_dir => ["/etc/logstash/patterns"]
match => {
"message" => "%{SED_NGINX_COMBINE}"
"message" => "%{HTTPD_COMBINELOG}"
}

but it didn't like this.

Just not sure how to go about this or should I create a second xxx.conf file for the different log files with a different index for Elasticsearch.

magnusbaeck · June 22, 2017, 6:59pm

The grok filter documentation contains an example of how to use multiple grok expressions in the same filter.

cisaksen · June 22, 2017, 7:27pm

Thanks that was incredibility unhelpful !

magnusbaeck · June 26, 2017, 9:06pm

Seriously, why wasn't that helpful? You're having syntax issues getting multiple grok expressions working in a single filter and I pointed you to where you could find examples of just that.

system · July 24, 2017, 9:07pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.