I have the following in my filter, for some reason it only prints email and not delivery_status. But when I comment out the email it then prints the delivery _status.
Is there a way to print them both without commenting either of them out?
filter {
grok {
patterns_dir => ["/etc/logstash/patterns/postfix"]
match => { "message" => "%{EMAIL}" }
match => { "message" => "%{DELIVERY_STATUS}" }
overwrite => [ "message" ]
}
}
Your help would be appreciated.
By default the grok filter finishes on the first successful match. If you want to overwrite this behaviour, add this line:
break_on_match => false
For further reference check out the grok filter docs here.