Parsing dynamically using Logstash grok pattern(custom pattern)

Below is the code for the logstash filter.
MYCUSTOMPATTERN is a custom pattern defined in ssk-patterns.

filter {
    grok {
            patterns_dir => ["/etc/logstash/patterns/ssk-patterns"]
            match => {"message" => "%{MYCUSTOMPATTERN}"}
    }
 }

but, I want to apply different patterns to multiple filebeats.

So this is the modified code.

filter {
    if [fields][log_type] == '1' {
            grok {
                   patterns_dir => ["/etc/logstash/patterns/ssk-patterns"]
                   match => {"message" => "%{MYCUSTOMPATTERN}"}
            }
    }
    else if [fields][log_type] == '2' {
            grok {
                   patterns_dir => ["/etc/logstash/patterns/ssk-patterns"]
                   match => {"message" => "%{MYCUSTOMPATTERN2}"}
            }      
    }
    .....
    .....
    .....
}

[log_type] is the field data sent by filebeat.

Without using the above method.

filter {
    grok {
            patterns_dir => ["/etc/logstash/patterns/ssk-patterns"]
            match => {"message" => "%{[fields][log_type]}"}
    }
}

This code doesn't work.
Is there a way to behave dynamically with this simple code?

What do you mean by that? There are an infinite number of ways in which it could not work, you cannot expect us to correctly guess which one of them is occurring.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.