Hi,
I would like somehow to have multiple dissect or grok
one for Errorlog :
dissect { mapping => { "message" => "[%logdate}] %{exception}.%{CHttpException}.%{logtype}.%{loglevel}: %{errormessage}" } }
and second one for Info log but the syntax is different:
[2020-10-21 14:51:33] application.INFO:
"message" => "[%logdate}] %{application}.%{loglevel}: %{infomessage}"
You can have multiple dissect filters. The documentation suggests using if conditions to determine which dissect to apply.
Hi, thank you very much for your link !! and answer
> if[message]=~ /application/{
> dissect {mapping => {"message" => "[%{logdate}] %{application}.%{loglevel}: %{logsmessage}"}}
> }
> else{
> dissect { mapping => { "message" => "[%{logdate}] %{exception}.%{CHttpException}.%{errorcode}.%{loglevel}: %{errormessage}" } }
> }
Could you please tell how to correct enter the condition for message ?
or should I just write if [message ]== application{
}
thank you
No, that is a string equality test. You can use a regex, as you have shown, or you can use a sub-string match
if "application" in [message] {
thank you very much for your answer
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.