Multiple pattern matching

DFrant · August 8, 2017, 8:23am

Hello, I have a filter defined as follow:

            grok {
                    patterns_dir => ["/etc/logstash/conf.d/patterns/"]
                    match =>
                            [
				"message", "^%{TIMESTAMP_ISO8601:logdate}  INFO \[XML\] (ID) : %{NN_UTILISATEUR:nn_utilisateur} CERTIFICATE : %{DATA:certificate}$",
                                "message", "^%{TIMESTAMP_ISO8601:logdate}  INFO \[XML\] %{NN_UTILISATEUR:nn_utilisateur} %{STATUS:status} (xml) : %{TX_HEADER}<%{TX_TYPE:tx_type}%{DATA}>%{DATA:tx_content}</%{TX_TYPE}>$"
                            ]
            }

I have checked both of them on a grok tester and they match perfectly. But I don't have any results with the first one when I run the server. Is there something that I missed/didn't do correctly?

Thanks

magnusbaeck · August 9, 2017, 6:18am

Without seeing example data the only thing I can say is that I suspect that (ID) should really be \(ID\).

DFrant · August 9, 2017, 7:34am

Actually no, cause when I comment the second pattern, data corresponding to the first pattern are recorded..

magnusbaeck · August 9, 2017, 8:04am

Hmm. Maybe your attempt at matching multiple expressions against the same field uses the wrong syntax then. The documentation contains an example of the supported syntax.

system · September 6, 2017, 8:04am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.