Multi pattern grok failing to load

After I added the following grok pattern, my config fails to load.

grok {
match => { "tempMessage" => "WebAPI - Request Uri: %{DATA:action} http://webservice.bigcompany.com/%{WORD:endpoint}/%{INT:number}/%{WORD:cancel}?reason",
"WebAPI - Request Uri: %{DATA:action} http://webservice.bigcompany.com/%{DATA:endpoint}/%{INT:number}",
"WebAPI - Request Uri: %{DATA:action} http://webservice.bigcompany.com/%{DATA:endpoint}/" }
}

looking at examples on web I'm not sure what I've done wrong when adding multiple patterns.

thank you

Fail how?

in log it says 'Failed to load" "invalid config". I remove this grok and it loads cleanly.

Your filter should look like this:

grok {
  match => {
    "tempMessage" => [
      "WebAPI - Request Uri: %{DATA:action} http://webservice.bigcompany.com/%{WORD:endpoint}/%{INT:number}/%{WORD:cancel}\?reason",
      "WebAPI - Request Uri: %{DATA:action} http://webservice.bigcompany.com/%{DATA:endpoint}/%{INT:number}",
      "WebAPI - Request Uri: %{DATA:action} http://webservice.bigcompany.com/%{DATA:endpoint}/" 
    ]
  }
}

You could do the same thing with a single expression, by the way:

WebAPI - Request Uri: %{DATA:action} http://webservice.bigcompany.com/%{WORD:endpoint}((/%{INT:number})?/(%{WORD:cancel}\?reason)?)?

Thank you for both answers.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.