how to match several possible log events formats?

Question

I have events from one log source which can have several known formats. As an example

10:45 Today is Monday
11:13 The weather is nice
12:00 The weather is cloudy

I can match each of them via

The weather is %{WORD:weather}
Today is %{WORD:weekday}

I am not yet comfortable with the format of logstash filter. In order to account for each of these possibilities, should I build something like

if message =~ "The weather is"
{
    grok {
        "match" => "The weather is %{WORD:weather}"
    }
}
if message =~ "Today is"
{
    grok {
    "match" => "Today is %{WORD:weekday}"
    }
}

or is there something more compact? (for instance a list of possible patterns for the events with the associated mapping)

score 0 · Accepted Answer · answered Jan 30 '15 at 13:30

0

I found a solution: to enumerate the patterns:

filter {
        grok {
                match =>  { "message" => [ "hello %{WORD:who}", "the weather is %{WORD:weather}" ] }

                }
      }

answered Jan 30 '15 at 13:30

WoJ

27,165
48
180
345

how to match several possible log events formats?

1 Answers1