Sprintf reference in grok pattern (help me~!)

judragon_dark · March 16, 2020, 6:23am

logstash filter code

 filter{
         grok {
                  patterns_dir => ["/etc/logstash/patterns/ssk-patterns"]
                  match => {"message" => "%{[fields][log_type]}"}           
         }
  }

[fields] [log_type] variable is the fields set in filebeat.
The above code does not work.

error code output

:exception=>#<Grok::PatternError: pattern %{[fields][log_type]} not defined

I want to apply different patterns to each filebeat without using if statements.
I couldn't solve it for 5 days.
Helpme~~

rcowart · March 16, 2020, 6:38am

You won't be able to do that as both general Logstash and grok use %{} for different purposes.

judragon_dark · March 16, 2020, 6:47am

Thank you for answer.
If so, is there any way to apply a different pattern to each filebeat without using an if statement?

rcowart · March 16, 2020, 7:11am

You can include multiple patterns in the match parameter of your grok filter.

grok {
  match => {
    "[message]" => [
      "%{GROKPATTERN1}",
      "%{GROKPATTERN2}",
      "%{GROKPATTERN3}"
    ]
  }
}

Other than that, you will need if statements.

Rob

How to install Elasticsearch & Kibana on Ubuntu - incl. hardware recommendations
What is the best storage technology for Elasticsearch?

judragon_dark · March 16, 2020, 8:57am

Thank you for answer.
It was very helpful.

system · April 13, 2020, 8:57am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.