Multiple patterns in grok filter

Billz1026 · October 19, 2018, 5:46am

Hi,

I have written following grok filter to match multiple log formats.

filter {
grok {
match => {
"message" => "%{MONTH:Month}%{SPACE}%{NUMBER:Day} %{TIME:Time} %{IP:Host} %{NUMBER:SEQ_NO}: %{DATA:Month_From_Device}%{SPACE}%{NUMBER:Day_From_Device} %{TIME:Time_From_Device}: %%{DATA:Facility}-%{DATA:Severity}-%{DATA:Event}: Login Success [user: %{NUMBER:Service_Number}] [Source: %{IP:Log_in_Source}] %{GREEDYDATA:Information}","%{MONTH:Month}%{SPACE}%{NUMBER:Day} %{TIME:Time} %{IP:Host} %{NUMBER:SEQ_NO}: %{DATA:Month_From_Device}%{SPACE}%{NUMBER:Day_From_Device} %{TIME:Time_From_Device}: %%{DATA:Facility}-%{DATA:Severity}-%{DATA:Event}: Login failed [user: %{NUMBER:Service_Number}] [Source: %{IP:Log_in_Source}] %{GREEDYDATA:Information}", "%{MONTH:Month}%{SPACE}%{NUMBER:Day} %{TIME:Time} %{IP:Host} %{NUMBER:SEQ_NO}: %{DATA:Month_From_Device}%{SPACE}%{NUMBER:Day_From_Device} %{TIME:Time_From_Device}: %%{DATA:Facility}-%{DATA:Severity}-%{DATA:Event}: %{GREEDYDATA:Information}", "%{MONTH:Month}%{SPACE}%{NUMBER:Day} %{TIME:Time} %{IP:Host} %{NUMBER:SEQ_NO}: %{GREEDYDATA:Information}"
}
}
}

but it gives following error when testing config.

[FATAL] 2018-10-19 11:05:10.035 [LogStash::Runner] runner - The given configuration is invalid. Reason: Expected one of #, {, } at line 12, column 335 (byte 460) after filter {.....

Please help to resolve this matter.

thanks in advance

Christian_Dahlqvist · October 19, 2018, 5:49am

You need to specify the list of grok patterns within square brackets. There is an example in the documentation on how to do this.

Billz1026 · October 19, 2018, 5:54am

I change the filter as below. but error is coming yet.

filter {
grok {
match => {
"message" => "[%{MONTH:Month}%{SPACE}%{NUMBER:Day} %{TIME:Time} %{IP:Host} %{NUMBER:SEQ_NO}: %{DATA:Month_From_Device}%{SPACE}%{NUMBER:Day_From_Device} %{TIME:Time_From_Device}: %%{DATA:Facility}-%{DATA:Severity}-%{DATA:Event}: Login Success [user: %{NUMBER:Service_Number}] [Source: %{IP:Log_in_Source}] %{GREEDYDATA:Information}"], "%{MONTH:Month}%{SPACE}%{NUMBER:Day} %{TIME:Time} %{IP:Host} %{NUMBER:SEQ_NO}: %{DATA:Month_From_Device}%{SPACE}%{NUMBER:Day_From_Device} %{TIME:Time_From_Device}: %%{DATA:Facility}-%{DATA:Severity}-%{DATA:Event}: Login failed [user: %{NUMBER:Service_Number}] [Source: %{IP:Log_in_Source}] %{GREEDYDATA:Information}", "%{MONTH:Month}%{SPACE}%{NUMBER:Day} %{TIME:Time} %{IP:Host} %{NUMBER:SEQ_NO}: %{DATA:Month_From_Device}%{SPACE}%{NUMBER:Day_From_Device} %{TIME:Time_From_Device}: %%{DATA:Facility}-%{DATA:Severity}-%{DATA:Event}: %{GREEDYDATA:Information}", "%{MONTH:Month}%{SPACE}%{NUMBER:Day} %{TIME:Time} %{IP:Host} %{NUMBER:SEQ_NO}: %{GREEDYDATA:Information}"
}
}
}

Christian_Dahlqvist · October 19, 2018, 6:05am

That does not match the example from the docs, does it?

system · November 16, 2018, 6:05am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Want to match against single grok pattern and multiple patterns in same filter Logstash	1	257	September 23, 2020
Multile pattren in single Grok Filter Logstash	5	285	August 28, 2018
Logstash 8.1 multiple patterns Logstash	2	160	December 22, 2023
Multiple Grok pattern filters arent filtering multiple logs in one logstash file Logstash	8	3586	February 13, 2020
Is logstash supports multiple grok pattern? Logstash elastic-stack-monitoring	3	108	April 29, 2024

Multiple patterns in grok filter

Related topics