I wonder if it's possible with logstash to to add a field which is retrieved from another logline?
My filter currently looks like this
if ("" in [qid] and [qid] == 'proxy-reject') {
mutate {
replace => [ "qid", 'NOQUEUE']
}
}
what I want to achive is to add another field which come from another record but can be identified via a pid value
if("" in [qid] and [qid] == 'proxy-reject'){
mutate {
replace => [ "qid", 'NOQUEUE']
add_field => ["client_ip", REFERENCE TO ANOTHER RECORD]
}
}
REFERENCE TO ANOTHER RECORD could be determined via a
exists:client_ip and pid:[pid]
So I want to tell logstash to add a field which can be retrieved from client_ip field of another record with the same pid field as the current record.
Is such thing even possible with logastash?
Thanks a lot for any input