Logstash: multiple matches in grok does not work, but seperating does

Created on 13 Jun 2017 · 1Comment · Source: elastic/logstash

I am using ELK 5, the latest version

this is my data

state.ifconfig = 

Link encap:Ethernet  HWaddr 78:4b:87:ab:00:d1  
          inet addr:172.23.65.96  Bcast:172.23.67.255  Mask:255.255.252.0
          inet6 addr: fe80::7a4b:87ff:feab:d1/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3258286 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3926921 errors:0 dropped:0 overruns:0 carrier:0

state.iproute = 

default via 172.23.64.1 dev wlan0 
172.23.64.0/22 dev wlan0  src 172.23.65.96 
192.168.2.0/24 dev usb0  src 192.168.2.15

This does not work

filter {

  json {
    source => "message"
  }

  grok {
    match => {
      "[state][ifconfig]" => ["inet addr:%{IP:ip}", "HWaddr %{MAC:mac}"]
      "[state][iproute]" => "default via %{IP:gateway}"
    }
  }

}

This however works

filter {

  json {
    source => "message"
  }

  grok {
    match => {
      "[state][ifconfig]" => "inet addr:%{IP:ip}"
    }
  }

  grok {
    match => {
      "[state][ifconfig]" => ["HWaddr %{MAC:mac}"]
    }
  }

  grok {
    match => {
      "[state][iproute]" => "default via %{IP:gateway}"
    }
  }

}

Why is this so? I a rather new to the ELK stack

Source

benjaminhon

Most helpful comment

nvm i found out why

grok {
    break_on_match => false
    match => {
      "[state][ifconfig]" => ["inet addr:%{IP:ip}", "HWaddr %{MAC:mac}"]
      "[state][iproute]" => "default via %{IP:gateway}"
    }
  }

this works

benjaminhon on 13 Jun 2017

👍3

>All comments

nvm i found out why

grok {
    break_on_match => false
    match => {
      "[state][ifconfig]" => ["inet addr:%{IP:ip}", "HWaddr %{MAC:mac}"]
      "[state][iproute]" => "default via %{IP:gateway}"
    }
  }

this works

benjaminhon on 13 Jun 2017

👍3

Was this page helpful?

0 / 5 - 0 ratings