Multiple pattern matching

DFrant · August 8, 2017, 8:23am

Hello, I have a filter defined as follow:

            grok {
                    patterns_dir => ["/etc/logstash/conf.d/patterns/"]
                    match =>
                            [
				"message", "^%{TIMESTAMP_ISO8601:logdate}  INFO \[XML\] (ID) : %{NN_UTILISATEUR:nn_utilisateur} CERTIFICATE : %{DATA:certificate}$",
                                "message", "^%{TIMESTAMP_ISO8601:logdate}  INFO \[XML\] %{NN_UTILISATEUR:nn_utilisateur} %{STATUS:status} (xml) : %{TX_HEADER}<%{TX_TYPE:tx_type}%{DATA}>%{DATA:tx_content}</%{TX_TYPE}>$"
                            ]
            }

I have checked both of them on a grok tester and they match perfectly. But I don't have any results with the first one when I run the server. Is there something that I missed/didn't do correctly?

Thanks

magnusbaeck · August 9, 2017, 6:18am

Without seeing example data the only thing I can say is that I suspect that (ID) should really be \(ID\).

DFrant · August 9, 2017, 7:34am

Actually no, cause when I comment the second pattern, data corresponding to the first pattern are recorded..

magnusbaeck · August 9, 2017, 8:04am

Hmm. Maybe your attempt at matching multiple expressions against the same field uses the wrong syntax then. The documentation contains an example of the supported syntax.

system · September 6, 2017, 8:04am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash 8.1 multiple patterns Logstash	2	160	December 22, 2023
Grok The correct syntax to match against multiple patterns Logstash	1	28	August 31, 2024
GROK Multiple Match - Logstash Logstash	4	27103	July 6, 2017
Want to match against single grok pattern and multiple patterns in same filter Logstash	1	257	September 23, 2020
Grok performance Logstash	5	1307	January 18, 2018

Multiple pattern matching

Related topics