Hi,
I have a question regarding the grok filter. I have event messages that contain mutliple matches for a certain pattern. I am confused as to which match is supposed to get picked up by the grok filter. The first match the last match all of them?
The behaviour for my data does not seem consistent to me. In one document it returns the last match in the next I get the first match.
The events are produced using the multiline filter, the matches are on different lines of the event messages
I am using a rather dated Version 1.5.2
Bye,
Markus