Using _dissectfailure for matching multiple lines with dissect

nimblealliance · August 30, 2021, 7:20am

Hello

Could someone please let me know why my below filter using dissect doesn't work? I tried using the "_dissectfailure" option to parse logs when the first dissect filter fails and returns this tag but it doesn't seem to work :-

filter
{


	dissect
	{

	mapping => {"message" => "%{time}|%{thread}|%{rest} ,%{bleh1}all %{bleh2} ..."}


	}
	
	if "_dissectfailure" in [ tags ]

	{

	dissect

	{
	mapping => {"message" => "%{time}|%{thread}|%{rest}all %{bleh1}......"}

	}


}

This filter does work when the log lines match the first message but fails when it matches the second. I am new to logstash and as per my understanding the second dissect filter should have worked on this as the first one failed and returns a "_dissectfailure" tag , please correct me if I am wrong

system · September 27, 2021, 7:20am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to determine when dissect fails and branch to try a different dissect clause? Logstash	5	4964	January 10, 2019
Dissectfailure when it shouldn't Logstash	4	348	September 19, 2022
Understanding dissect behaviour Logstash	8	844	September 30, 2019
Multiple dissect in logstash Logstash elastic-stack-monitoring	5	761	November 18, 2020
Does Dissect's mapping able to match multiple pattern? Logstash	2	1311	March 20, 2020

Using _dissectfailure for matching multiple lines with dissect

Related topics