logstash if field exists then grok

Question

I'm trying to create a filter for logstash that will have "general" grok filter for all logs and if some field exists, then I want it to perform a different grok.

The first grok I'm using is

grok {
match => [
"message", "....%{NOTSPACE:name} %{GREEDYDATA:logcontent}" 
]
}

This is working great. But I want this to be able to filter even more if the "name" field is i.e "foo"

if [name] == "foo" {
grok {
match => [
"message", ".....%{NOTSPACE:name} %{NOTSPACE:object1} %{NOTSPACE:object2}" 
]
}

I tried this option but it didn't work. Any thoughts?

score 0 · Accepted Answer · answered Feb 18 '16 at 17:41

0

The easiest way is to use a pattern match on the message before you grok anything.

For example:

if [message] =~ /....foo/ {
   // foo specific grok here
} else {
   // general grok
}

answered Feb 18 '16 at 17:41

Alcanzar

16,985
6
42
59

Do you mean that i will need to put an example of the entire log in "if [message] =~ /.....foo/ ? or can I actually put the dots there and write the word I'm interested in ? – DevopsQueen Mar 02 '16 at 11:10
Just put enough to know that your grok will succeed. – Alcanzar Mar 02 '16 at 12:56

logstash if field exists then grok

1 Answers1