Traiter des sous champs comme des logs à part entier à ingérer


Je souhaite parser un log et parser aussi un sous log (qui est un champ du log parent) et les ingérer dans deux logs différents.

Est ce que c'est possible et si oui quelle méthode ou script faudrait utiliser.

Je vous remercie par avance!


If you want to ask questions in French, please do it here.

What is the format of your data ?

Grok give a possibility to do that :
If we take this log line
try number 123456 on 123456789

With a grok pattern like this

filter {
    grok {
        match => {
            "message" => "(?<message>%{WORD} %{WORD} %{INT:num_try} %{WORD} (?<total_try>[0-9]+))"

The result is

"message": [
      "try number 123456 on 123456789"
  "num_try": [
  "total_try": [

So in grok you can create a custom patter with this syntax (?<field_name> pattern here). This pattern can contain other custom patter or existing pattern (num_try and total_try in the example).

Another solution would be to copy the global pattern in another field with the mutate filter and edit the copy filed in ruby.


thank you so much for your response.

My problem was to use two patterns (in the bloc input {file} ) for the same logs.
it was like parsing the same file in two diffrents ways.

finally I had no solution and suddenly I used two .conf

thank you again

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.