Writing multiple grok filters

Hari_Krishna · March 11, 2020, 10:05am

This is how my log looks like:

2020-03-06 09:41:13.756480168 re0:ndp:18310 NDP_TP_NDP_MSG Function = "NdpIRBNhMapHandler", message = "NdpIRBNhMapHandler Entered"
2020-03-06 09:41:13.756485401 re0:ndp:18310 lltp_debug message = "NDP-DBG:NdpIRBNhMapHandler:381:: NdpIRBNhMapHandler Entered"
2020-03-06 09:41:13.770434539 re0:ndp:18310 BQEvents_BQ_OBJ_EVENT Guid = 893353199931, Op = "USER DEL CB", Obj = 0x7F6B8FE9DB00, Type_info = "AddrResolveReq"

This is the filter that i have written:

        pattern_definitions => { "mssg" => "((Msg|message|Message|message1|message2) [=])" }
        match => {
                "message" => ["%{TIMESTAMP_ISO8601:timestamp} %{WORD:node}:%{WORD:program}:%{INT:pid} %{WORD:tracetype}.*%{mssg} \"%{GREEDYDATA:Message}\""]
                         }

But this works only for the logs with "message".
The Function and message fields do not occur in all the logs. How can i write filters to match multiple patterns?

ITIC · March 11, 2020, 10:23am

Hi

Find a way to distinguish the different types of log entries you'll be getting and use if statements to call different grok{} instances, one for each type.

Hope this helps

Hari_Krishna · March 12, 2020, 9:22am

Hi Jordi,

Can you please give me an example on how to write if statements to call different grok{} instances?

ITIC · March 12, 2020, 10:35am

Hi

Take a look at this documentation: https://www.elastic.co/guide/en/logstash/current/event-dependent-configuration.html#conditionals

Let's say you want the word "message" in your mssg field, you'd do like this:

filter {
  if "message" in [mssg] {
	grok {<whatever you need to do here>}
  }
  else {
	<whatever you need to do here, maybe another gork{} filter>
  }
}

Hope this helps

Hari_Krishna · March 12, 2020, 10:54am

Thanks Jordi
I'll try it out

system · April 9, 2020, 11:03am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.