Multiple pattern matching log file

bishaka · July 20, 2016, 5:24pm

Hi,
So my log file contains multiple patterns (2 diff types) so i made 2 different match patterns to accompany both of them. Everythings working fine and I don't get _grokparsefailure tags errors. However.. it is returning 2 different values for the same field (which makes sense). Now what I want to do is keep the ones I need and get rid of the ones I do not. How can I do that?

As you can see in the picture below, requestStatus, requestType and requestDetails all returning 2 different values.

My logstash file:
filter {
grok {
tag_on_failure => [ "BROKEN_GROK_SYSLOG", "_grokparsefailure" ]
overwrite => [ "message" ]
match => ["message", "%{NOTSPACE} %{NOTSPACE:threadType} %{NOTSPACE} %{NOTSPACE} %{NOTSPACE} %{NOTSPACE} %{NOTSPACE} %{NOTSPACE} %{NOTSPACE} %{NOTSPACE:requestType} %{NOTSPACE} %{NOTSPACE:requestStatus} %{NOTSPACE} %{GREEDYDATA:requestDetails}"]

}
grok {
	tag_on_failure => [ "BROKEN_GROK_SYSLOG", "_grokparsefailure" ]
	overwrite => [ "message" ]
    match => ["message", "%{NOTSPACE} %{NOTSPACE} %{NOTSPACE} %{NOTSPACE:requestType} %{NOTSPACE} %{NOTSPACE:requestStatus} %{NOTSPACE} %{GREEDYDATA:requestDetails}"]

	}
mutate {
    remove => [ "message" ]
}

geoip {
  source => "clientip"
  target => "geoip"
  database => "/etc/logstash/GeoLiteCity.dat"
  add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
  add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}"  ]
}
mutate {
  convert => [ "[geoip][coordinates]", "float"]
}

}

warkolm · July 21, 2016, 11:30am

Please don't post pictures of text, they are difficult to read and some people may not be even able to see them.

magnusbaeck · July 21, 2016, 6:31pm

Why are you capturing different strings into the same requestType field in the first place? If you don't do that you won't have to clean up the field afterwards.