Using _dissectfailure for matching multiple lines with dissect

nimblealliance · August 30, 2021, 7:20am

Hello

Could someone please let me know why my below filter using dissect doesn't work? I tried using the "_dissectfailure" option to parse logs when the first dissect filter fails and returns this tag but it doesn't seem to work :-

filter
{


	dissect
	{

	mapping => {"message" => "%{time}|%{thread}|%{rest} ,%{bleh1}all %{bleh2} ..."}


	}
	
	if "_dissectfailure" in [ tags ]

	{

	dissect

	{
	mapping => {"message" => "%{time}|%{thread}|%{rest}all %{bleh1}......"}

	}


}

This filter does work when the log lines match the first message but fails when it matches the second. I am new to logstash and as per my understanding the second dissect filter should have worked on this as the first one failed and returns a "_dissectfailure" tag , please correct me if I am wrong

system · September 27, 2021, 7:20am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to determine when dissect fails and branch to try a different dissect clause? Logstash	5	4958	January 10, 2019
Dissectfailure when it shouldn't Logstash	4	346	September 19, 2022
Multiple dissect in logstash Logstash elastic-stack-monitoring	5	757	November 18, 2020
Logstash filtering drives me nuts Logstash	8	436	June 16, 2021
Logstash with two dissect - only the first dissect is used now and then Logstash	2	392	January 20, 2022

Using _dissectfailure for matching multiple lines with dissect

Related Topics