I'm trying to create a filter for logstash that will have "general" grok filter for all logs and if some field exists, then I want it to perform a different grok.
The first grok I'm using is
grok {
match => [
"message", "....%{NOTSPACE:name} %{GREEDYDATA:logcontent}"
]
}
This is working great. But I want this to be able to filter even more if the "name" field is i.e "foo"
if [name] == "foo" {
grok {
match => [
"message", ".....%{NOTSPACE:name} %{NOTSPACE:object1} %{NOTSPACE:object2}"
]
}
I tried this option but it didn't work. Any thoughts?
The easiest way is to use a pattern match on the message before you grok anything.
For example:
if [message] =~ /....foo/ {
// foo specific grok here
} else {
// general grok
}