Which hits get picked up by grok filter in multiline events

markus · July 19, 2016, 5:35am

Hi,
I have a question regarding the grok filter. I have event messages that contain mutliple matches for a certain pattern. I am confused as to which match is supposed to get picked up by the grok filter. The first match the last match all of them?

The behaviour for my data does not seem consistent to me. In one document it returns the last match in the next I get the first match.
The events are produced using the multiline filter, the matches are on different lines of the event messages

I am using a rather dated Version 1.5.2
Bye,
Markus

magnusbaeck · July 21, 2016, 6:28pm

Which match is picked up first depends on how the pattern is written and what the data looks like.

Topic		Replies	Views
Grok filter only uses last match, can this be changed? Logstash	1	762	December 23, 2016
Grok filter cannot parse log lines that are AFTER a multiline event Logstash	8	1960	July 6, 2017
Log event with multi-line Logstash	5	461	March 26, 2018
Multiline grok filter not working with specific log Logstash	3	250	April 4, 2022
Grok multiple matches issue Logstash	1	452	January 19, 2017

Which hits get picked up by grok filter in multiline events

Related topics