Multiple match option in grok

magnusbaeck · April 26, 2017, 9:34am

Seems to work fine here:

$ cat test.config 
filter {
    if [type] == "syslog" {
        grok {
            match => {
                "message" => ["%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: Launching batch job %{NUMBER:job_id} for UID %{POSINT:slurm_user_id}","%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: launch task %{NUMBER:job_id} request from %{PROG:slurm_host} (\(port %{POSINT:slurm_port}\))","%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: _run_prolog: run job script took usec=%{NUMBER:slurm_usec}","%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: _run_prolog: prolog with lock for job %{POSINT:job_id} ran for %{NUMBER:slurm_time}"]
       }
       add_field => [ "received_at", "%{@timestamp}" ]
       add_field => [ "received_from", "%{host}" ]
       }
   }

   syslog_pri { }

   if !("_grokparsefailure" in [tags]) {
        mutate {
           add_tag => "parsed_by_slurm_filter"
        }
    }
    mutate {
        rename => { "syslog_message" => "message" }
    }
}
$ /opt/logstash/bin/logstash -f test.config --configtest
Configuration OK

Topic		Replies	Views
How many matches, we can have in grok filter - as example below Logstash	5	519	October 12, 2018
Grok filter multiple match Logstash	4	18197	October 31, 2019
GROK multiple MATCH filters Logstash	3	5583	July 6, 2017
Multile pattren in single Grok Filter Logstash	5	285	August 28, 2018
Grok performance Logstash	5	1307	January 18, 2018

Multiple match option in grok

Related topics