Home Arrow Icon Knowledge base Arrow Icon Global Arrow Icon Can you provide an example of using conditional pattern matching in Grok


Can you provide an example of using conditional pattern matching in Grok


Conditional pattern matching in Grok is achieved by using conditionals in the Logstash configuration file. This allows you to apply different Grok patterns based on specific conditions, such as the presence of certain words or the type of log. Here's an example of how to use conditional pattern matching:

Example: Conditional Grok Patterns

Suppose you have logs of two types: `apache_access` and `apache_error`. You want to apply different Grok patterns based on these types. 

logstash
filter {
  if [type] == "apache_access" {
    grok {
      patterns_dir => "/path/to/patterns"
      match => { "message" => "%{COMBINEDAPACHELOG}" }
    }
  } else if [type] == "apache_error" {
    if "ModSecurity" in [message] {
      grok {
        patterns_dir => "/path/to/patterns"
        match => { "message" => "%{HTTPERRORDATE:date} \[%{HTTPMODULE:module}:%{LOGLEVEL:loglevel}\] \[pid %{POSINT:pid}\] \[client %{IP:IP}\] ModSecurity: %{GREEDYDATA:message}" }
      }
    } else {
      grok {
        patterns_dir => "/path/to/patterns"
        match => { "message" => "%{HTTPERRORDATE:date} \[%{HTTPMODULE:module}:%{LOGLEVEL:loglevel}\] \[pid %{POSINT:pid}\] %{WORD:errorid}: %{GREEDYDATA:message}" }
      }
    }
  }
}

In this example:
- For logs of type `apache_access`, a specific Grok pattern (`COMBINEDAPACHELOG`) is applied.
- For logs of type `apache_error`, the presence of "ModSecurity" in the message determines which Grok pattern to use.

Handling Non-Matching Patterns

If a Grok pattern fails to match, Logstash adds a `_grokparsefailure` tag. You can handle this by using conditionals to apply alternative actions: 

logstash
filter {
  grok {
    match => { "message" => "%{COMMONAPACHELOG}" }
  }
  
  if "_grokparsefailure" in [tags] {
    # Try an alternative pattern or process the event differently
    grok {
      match => { "message" => "%{SYSLOGBASE}" }
    }
    mutate {
      remove_tag => ["_grokparsefailure"]
    }
  }
}

In this case, if the first Grok pattern fails, Logstash attempts to match another pattern (`SYSLOGBASE`) and removes the `_grokparsefailure` tag if successful.

Citations:
[1] https://discuss.elastic.co/t/grok-trying-to-continue-with-pattern-based-on-match/186185
[2] https://stackoverflow.com/questions/32374511/logstash-grok-how-to-do-conditional-pattern-matching
[3] https://discuss.elastic.co/t/conditional-grok/33641
[4] https://docs.aws.amazon.com/glue/latest/dg/custom-classifier.html
[5] https://betterstack.com/community/questions/how-to-handle-non-matching-logstash-grok-filters/
[6] https://edgedelta.com/company/blog/what-are-grok-patterns
[7] https://betterstack.com/community/questions/logstash-optional-fields-in-logfile/
[8] https://latenode.com/blog/a-complete-guide-to-using-the-grok-debugger
[9] https://opensearch.org/docs/latest/data-prepper/pipelines/configuration/processors/grok/
[10] https://github.com/hellosign/logstash-fundamentals/blob/master/examples/grokking_rules.md