Hi Alex,
unfortunately that's not possible with Graylog at the moment (skipping the
following grok patterns if the current one already matched).
This being said, just creating multiple extractors per input will at least
give you the extracted message fields, by running all extractors of that
input on the message.
Cheers,
Jochen
On Wednesday, 30 September 2015 17:02:41 UTC+2, Alex B. wrote:
>
> Hello !
> Is there a way to do things like that with graylog ?
>
> grok {
> break_on_match => true
> match => [
> "message", "<%{POSINT:syslog_pri}>1
> %{TIMESTAMP_ISO8601:syslog_time} %{SYSLOGHOST:hostname}
> (?<message_program>[a-zA-Z0-9\-]+) [\- ]+ %{TIMESTAMP_ISO8601:@timestamp}
> %{LOGLEVEL:message_loglevel} (?<message_body>(?<message_syslog>.*))",
> "message", "<%{POSINT:syslog_pri}>1
> %{TIMESTAMP_ISO8601:syslog_time} %{SYSLOGHOST:hostname}
> (?<message_program>[a-zA-Z0-9\-]+) [\- ]+ %{TIMESTAMP_ISO8601:@timestamp}
> (?<message_body>(?<message_syslog>.*))",
> "message", "<%{POSINT:syslog_pri}>1
> %{TIMESTAMP_ISO8601:syslog_time} %{SYSLOGHOST:hostname}
> (?<message_program>[a-zA-Z0-9\-]+) [\- ]+
> (?<message_body>(?<message_syslog>.*))",
> "message",
> "(?<message_body>(?<message_debug>.*))"
> ]
> }
>
>
> test several patterns on a message like logstash.
>
> I'd like to do everything with graylog and delete my logstash instances.
>
>
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/37fe1add-604c-498e-9201-0844a0977cbc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
