Multiple patterns in grok filter

Billz1026 · October 19, 2018, 5:46am

Hi,

I have written following grok filter to match multiple log formats.

filter {
grok {
match => {
"message" => "%{MONTH:Month}%{SPACE}%{NUMBER:Day} %{TIME:Time} %{IP:Host} %{NUMBER:SEQ_NO}: %{DATA:Month_From_Device}%{SPACE}%{NUMBER:Day_From_Device} %{TIME:Time_From_Device}: %%{DATA:Facility}-%{DATA:Severity}-%{DATA:Event}: Login Success [user: %{NUMBER:Service_Number}] [Source: %{IP:Log_in_Source}] %{GREEDYDATA:Information}","%{MONTH:Month}%{SPACE}%{NUMBER:Day} %{TIME:Time} %{IP:Host} %{NUMBER:SEQ_NO}: %{DATA:Month_From_Device}%{SPACE}%{NUMBER:Day_From_Device} %{TIME:Time_From_Device}: %%{DATA:Facility}-%{DATA:Severity}-%{DATA:Event}: Login failed [user: %{NUMBER:Service_Number}] [Source: %{IP:Log_in_Source}] %{GREEDYDATA:Information}", "%{MONTH:Month}%{SPACE}%{NUMBER:Day} %{TIME:Time} %{IP:Host} %{NUMBER:SEQ_NO}: %{DATA:Month_From_Device}%{SPACE}%{NUMBER:Day_From_Device} %{TIME:Time_From_Device}: %%{DATA:Facility}-%{DATA:Severity}-%{DATA:Event}: %{GREEDYDATA:Information}", "%{MONTH:Month}%{SPACE}%{NUMBER:Day} %{TIME:Time} %{IP:Host} %{NUMBER:SEQ_NO}: %{GREEDYDATA:Information}"
}
}
}

but it gives following error when testing config.

[FATAL] 2018-10-19 11:05:10.035 [LogStash::Runner] runner - The given configuration is invalid. Reason: Expected one of #, {, } at line 12, column 335 (byte 460) after filter {.....

Please help to resolve this matter.

thanks in advance

Christian_Dahlqvist · October 19, 2018, 5:49am

You need to specify the list of grok patterns within square brackets. There is an example in the documentation on how to do this.

Billz1026 · October 19, 2018, 5:54am

I change the filter as below. but error is coming yet.

filter {
grok {
match => {
"message" => "[%{MONTH:Month}%{SPACE}%{NUMBER:Day} %{TIME:Time} %{IP:Host} %{NUMBER:SEQ_NO}: %{DATA:Month_From_Device}%{SPACE}%{NUMBER:Day_From_Device} %{TIME:Time_From_Device}: %%{DATA:Facility}-%{DATA:Severity}-%{DATA:Event}: Login Success [user: %{NUMBER:Service_Number}] [Source: %{IP:Log_in_Source}] %{GREEDYDATA:Information}"], "%{MONTH:Month}%{SPACE}%{NUMBER:Day} %{TIME:Time} %{IP:Host} %{NUMBER:SEQ_NO}: %{DATA:Month_From_Device}%{SPACE}%{NUMBER:Day_From_Device} %{TIME:Time_From_Device}: %%{DATA:Facility}-%{DATA:Severity}-%{DATA:Event}: Login failed [user: %{NUMBER:Service_Number}] [Source: %{IP:Log_in_Source}] %{GREEDYDATA:Information}", "%{MONTH:Month}%{SPACE}%{NUMBER:Day} %{TIME:Time} %{IP:Host} %{NUMBER:SEQ_NO}: %{DATA:Month_From_Device}%{SPACE}%{NUMBER:Day_From_Device} %{TIME:Time_From_Device}: %%{DATA:Facility}-%{DATA:Severity}-%{DATA:Event}: %{GREEDYDATA:Information}", "%{MONTH:Month}%{SPACE}%{NUMBER:Day} %{TIME:Time} %{IP:Host} %{NUMBER:SEQ_NO}: %{GREEDYDATA:Information}"
}
}
}

Christian_Dahlqvist · October 19, 2018, 6:05am

That does not match the example from the docs, does it?

Topic		Replies	Views
Inserting several grok filters in one logstash conf file Logstash	4	380	May 31, 2019
Multiple grok filter Logstash	16	24217	October 3, 2017
Logstash Pipeline grok filter (match) fails - Expected one of [ \\t\\r\\n], \"#\", \"{\", \"}\" Logstash	5	1315	July 28, 2020
Please validate mutiple GROK filter Logstash	4	4007	May 10, 2018
Want to match against single grok pattern and multiple patterns in same filter Logstash	1	290	September 23, 2020

Multiple patterns in grok filter

Related topics