Two groks?

I have logs of memory usage, the problem is that some logs description are in spanish and others in english

Logs:

  12/30/19 15:34:50 host-name Uso de Memoria % vm.memory.size[pused] 67.6928
  12/30/19 16:03:58 host-name Used Memory % vm.memory.size[pused] 59.1605

grok:

%{DATA:fecha} %{TIME:hora} %{DATA:hostname} Uso de Memoria % vm.memory.size\[pused] %{NUMBER:porcentaje}

I remember reading that is posible to have two groks, but this will trow a grok parse failure, is there another aproach that you can recommend?

You could use alternation in the pattern

%{DATA:fecha} %{TIME:hora} %{DATA:hostname} (Uso de Memoria|Used Memory) % vm.memory.size\[pused] %{NUMBER:porcentaje}
1 Like

Thanks Brother, you have helped me a lot, have a very good new year!!!!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.