Multiple pattern matching

DFrant · August 8, 2017, 8:23am

Hello, I have a filter defined as follow:

            grok {
                    patterns_dir => ["/etc/logstash/conf.d/patterns/"]
                    match =>
                            [
				"message", "^%{TIMESTAMP_ISO8601:logdate}  INFO \[XML\] (ID) : %{NN_UTILISATEUR:nn_utilisateur} CERTIFICATE : %{DATA:certificate}$",
                                "message", "^%{TIMESTAMP_ISO8601:logdate}  INFO \[XML\] %{NN_UTILISATEUR:nn_utilisateur} %{STATUS:status} (xml) : %{TX_HEADER}<%{TX_TYPE:tx_type}%{DATA}>%{DATA:tx_content}</%{TX_TYPE}>$"
                            ]
            }

I have checked both of them on a grok tester and they match perfectly. But I don't have any results with the first one when I run the server. Is there something that I missed/didn't do correctly?

Thanks

magnusbaeck · August 9, 2017, 6:18am

Without seeing example data the only thing I can say is that I suspect that (ID) should really be \(ID\).

DFrant · August 9, 2017, 7:34am

Actually no, cause when I comment the second pattern, data corresponding to the first pattern are recorded..

magnusbaeck · August 9, 2017, 8:04am

Hmm. Maybe your attempt at matching multiple expressions against the same field uses the wrong syntax then. The documentation contains an example of the supported syntax.

system · September 6, 2017, 8:04am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
GROK Multiple Match - Logstash Logstash	4	27158	July 6, 2017
I want to match two grok patterns in one config file? Logstash	6	3254	July 2, 2017
Multiple patterns for log file Logstash	2	1619	July 6, 2017
Multiple grok and multiple match option in one grok Logstash	2	4398	July 6, 2017
Custom pattern problems in the grok filter Logstash	2	2568	July 6, 2017

Multiple pattern matching

Related topics