Grok Filter Error in Logstash
Question
I have the following in my filter, for some reason it only prints email and not delivery_status. But when I comment out the email it then prints the delivery _status.
Is there a way to print them both without commenting either of them out?
filter {
grok {
patterns_dir => ["/etc/logstash/patterns/postfix"]
match => { "message" => "%{EMAIL}" }
match => { "message" => "%{DELIVERY_STATUS}" }
overwrite => [ "message" ]
}
}
Your help would be appreciated.
1 answers
solution1
0 ACCPTED 2017-01-11 12:25:03
By default the grok filter finishes on the first successful match. If you want to overwrite this behaviour, add this line:
break_on_match => false
For further reference check out the grok filter docs here .
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.
Related Question
Logstash grok filter error “_grokparsefailure”
Error parsing date with grok filter in logstash
Filter Apache Error Logs in Logstash using grok
Error in grok filter which starting logstash
grok filter for logstash
logstash grok filter pattern
Logstash grok filter regex
Logstash filter using grok
grok filter and logstash
Logstash grok filter integer
Related Tags