Menu
What is the valid logstash config of these 2 options?
else if [pipeline] == "tomcat_all" {
grok {
match => [ "message", "%{MONTH}%{SPACE}%{MONTHDAY},%{SPACE}%{YEAR}%{SPACE}%{HOUR}:?%{MINUTE}(?::?%{SECOND})%{SPACE}(?:AM|PM)%{SPACE}%{NOTSPACE:class}%{SPACE}%{NOTSPACE:type_log}%{SPACE}%{WORD:loglevel}:%{SPACE}%{GREEDYDATA:log_text}" ]
match => [ "message", "%{TIME:timestamp}%{SPACE}\|-%{WORD:loglevel}%{SPACE}in%{SPACE}%{NOTSPACE:class}%{SPACE}%{GREEDYDATA:log_text}" ]
...
else if [pipeline] == "123" {
grok {
match => [ "message", "%{MONTH}%{SPACE}%{MONTHDAY},%{SPACE}%{YEAR}%{SPACE}%{HOUR}:?%{MINUTE}(?::?%{SECOND})%{SPACE}(?:AM|PM)%{SPACE}%{NOTSPACE:class}%{SPACE}%{NOTSPACE:type_log}%{SPACE}%{WORD:loglevel}:%{SPACE}%{GREEDYDATA:log_text}" ]
}
grok {
match => [ "message", "%{TIME:timestamp}%{SPACE}\|-%{WORD:loglevel}%{SPACE}in%{SPACE}%{NOTSPACE:class}%{SPACE}%{GREEDYDATA:log_text}" ]
}
Logstash seems to start fine with both configurations and report no errors, but the grok parsing isn't working properly with multiple grok patterns yet.
799
In comparison, both will almost perform equally since the default value for break_on_match is true.
break_on_match
Break on first match. The first successful match by grok will result in > the filter being finished. If you want grok to try all patterns (maybe you are parsing different things), then set this to false.
Your first pattern can be further simplified as follows,
filter {
grok {
match => [ "message", "PATTERN1", "PATTERN2" ]
}
}
Please refer to this answer as well, Multiple patterns in one log
166
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
