I have two kinds of logs as shown below in my log file, which I need to match
-- url: /display/wDocs/com.abc.downloadmanager+v1.1 | userName: komail badami | referer: https://abcd.com/display/wDocs/com.abc.downloadmanager+v1.1
-- url: /pages/viewpage.action | userName: komail badami | referer: https://abcd.com/pages/viewpage.action?pageId=109851237
So, I wrote a grok multiple match construct as follows
filter {
grok {
patterns_dir => "./patterns"
break_on_match => false
match => { "message" => ["-- url: \/%{DATA:url1}\/%{DATA:url2}\/%{DATA:url3}%{GREEDYDATA:pageName}[ ;]\|[ ;]userName:[; ]%{GREEDYDATA:userName}[ ;]\|[ ;]",
"-- url: \/pages\/viewpage.action[ ;]\|[ ;]userName:[; ]%{GREEDYDATA:userName}[ ;]\|[ ;]referer:[ ;]%{URIPROTO:uriProto}://%{HOSTNAME:host}/%{WORD:h1}/%{WORD:h2 }/%{GREEDYDATA:pageName}"]}
}
if "_grokparsefailure" in [tags] {
drop {}
}
if "v1" not in [pageName] and "v2" not in [pageName] and "v3" not in [pageName] {
drop {}
}
}
I need to get the pageName, userName from these logs for all the log entries which have a version field in them and which match the grok filters. But it doesn't seem to work. What am I doing wrong here ?
Note: Using the first grok pattern only works well, but I need to have both to be checked. I've tested the patterns individually on Grok Debugger and it works.
Thanks in advance.