Parsing dynamically using Logstash grok pattern(custom pattern)

judragon_dark · March 13, 2020, 5:36am

Below is the code for the logstash filter.
MYCUSTOMPATTERN is a custom pattern defined in ssk-patterns.

filter {
    grok {
            patterns_dir => ["/etc/logstash/patterns/ssk-patterns"]
            match => {"message" => "%{MYCUSTOMPATTERN}"}
    }
 }

but, I want to apply different patterns to multiple filebeats.

So this is the modified code.

filter {
    if [fields][log_type] == '1' {
            grok {
                   patterns_dir => ["/etc/logstash/patterns/ssk-patterns"]
                   match => {"message" => "%{MYCUSTOMPATTERN}"}
            }
    }
    else if [fields][log_type] == '2' {
            grok {
                   patterns_dir => ["/etc/logstash/patterns/ssk-patterns"]
                   match => {"message" => "%{MYCUSTOMPATTERN2}"}
            }      
    }
    .....
    .....
    .....
}

[log_type] is the field data sent by filebeat.

Without using the above method.

filter {
    grok {
            patterns_dir => ["/etc/logstash/patterns/ssk-patterns"]
            match => {"message" => "%{[fields][log_type]}"}
    }
}

This code doesn't work.
Is there a way to behave dynamically with this simple code?

Badger · March 13, 2020, 6:00pm

What do you mean by that? There are an infinite number of ways in which it could not work, you cannot expect us to correctly guess which one of them is occurring.

system · April 10, 2020, 6:00pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.