Can I apply different grok pattern in single input?

baalkchina · December 1, 2025, 5:34am

Hi all, I am new to graylog, and I am trying to using graylog store and do some anylize in syslog.

I had setting up a input (a syslog), and setting my firewall send session and nat logs to graylog server.

Then I add an grok extractor for nat log in this input, it works fine, I can searching search tab using my own pattern.

But how can I adding a new grok extractor in session log? while both session and nat log are in same input.

I tried streams, and made two different streams to seperate session and nat logs, is this a good idea to apply grok pattern in streams, instead in inputs?

Thanks!

Wine_Merchant · December 1, 2025, 11:19am

Hello @baalkchina,

You are on the right track by considering using streams. Apply a pipeline to each stream and parse out messages with rules as opposed to extractors. You will find there is much more flexibility within pipelines and rules.

Topic		Replies	Views
Efficient way to ingest lots of data and use GROK patterns? Graylog Central (peer support)	8	2426	April 25, 2020
Unwanted Grok Fields Graylog Central (peer support) grok-patternspl	5	865	October 31, 2023
GROK Pattern works in the extractor preview, but the logs are not processed Graylog Central (peer support)	11	100	August 7, 2024
Pipeline Grok Patterns Graylog Central (peer support) pipeline-rules , grok-patternspl , sidecar , filebeat-linux	10	9751	December 12, 2018
Multiple Grok Patterns - We were not able to run the grok extraction. Please check your parameters Graylog Central (peer support)	6	1430	December 9, 2022

Can I apply different grok pattern in single input?

Related topics