Home > Back-end >  Grok Conditional pattern in Logstash yaml (if..else)
Grok Conditional pattern in Logstash yaml (if..else)

Time:07-11

I would like to do grok pattern based on filter conditions using if-else. I've tried but I got the wrong output. Please help me on identifying the error here.

filter {
  if ([service] =~ /service-name/) {
    grok {
      match => { "message" => "\[%{TIMESTAMP_ISO8601:time}\] "}
    }
 }
 else{
   grok {
     match => { "message" => "\[%{TIMESTAMP_ISO8601:time}\] \[%{WORD:logLevel}\] \[\{\"id\":%{DATA:id},\"data\":%{DATA:response}\]"}
     }
   }
 }
}

and below is the log for which I want to do grok pattern

[11/Jul/2022:09:20:09  0000]|| 00.0.0.000 || "-" || "POST /api/v1/path/subpath HTTP/1.1" || 200 || 630 || 0.005 || "okhttp/4.9.0"

CodePudding user response:

In your first grok the timestamp is HTTPDATE format instead of ISO8601 format, you must change it. Delete also the white space after \]

Here my suggestions

filter {
  if ([service] =~ /service-name/) or ([service] =~ /service-name1/) {
    grok {
      match => { "message" => "\[%{HTTPDATE:time}\]\|\| %{IP:ip} \|\| "%{DATA}" \|\| "(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion}))" \|\| %{NUMBER:response} \|\| (?:%{NUMBER:bytes}|-) \|\| (?:%{NUMBER:duration}|-) \|\| %{QS:user-agent}"}
    }
 }
 else{
   grok {
     match => { "message" => "\[%{TIMESTAMP_ISO8601:time}\] \[%{WORD:logLevel}\] \[\{\"id\":%{DATA:id},\"data\":%{DATA:response}\]"}
     }
   }
 }
}

Page link:https//www.codepudding.com/Backend/471832.html

Prev:Control template triggers cannot set value when used with StaticResource or x:Static
Next:SQS does not delete the message and runs infinite loop
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding