0

I'm trying to create a filter for logstash that will have "general" grok filter for all logs and if some field exists, then I want it to perform a different grok.

The first grok I'm using is 

grok {
match => [
"message", "....%{NOTSPACE:name} %{GREEDYDATA:logcontent}" 
]
}

This is working great. But I want this to be able to filter even more if the "name" field is i.e "foo" 

if [name] == "foo" {
grok {
match => [
"message", ".....%{NOTSPACE:name} %{NOTSPACE:object1} %{NOTSPACE:object2}" 
]
}

I tried this option but it didn't work. Any thoughts?

4

1 回答 1

0

最简单的方法是在你摸索任何东西之前对消息使用模式匹配。

例如:

if [message] =~ /....foo/ {
   // foo specific grok here
} else {
   // general grok
}
于 2016-02-18T17:41:42.600 回答