Hello all.
I am trying to add a new field if an ip addr is in the message field. Something like that.
filter {
grok {
match => { "message" => "%{IP:client} }
add_field => { "remote_ip" => "%{client}" }
}
}
Someone has a hint for me to accomplish that?
thanks and cheers
Got it working with:
filter {
grok {
match => [ "message", "%{IP:client}" ]
}
mutate {
add_field => [ "remote_ip", "%{client}" ]
}
if ("_grokparsefailure" in [tags]) { drop {} }
}Why capture to the client field and then copy that into the remote_ip field? Why not capture into remote_ip directly?
Hi Magnus.
Thanks for your answer. You are right. With my example i had two new fields. I wasn't aware of the fact capturing leeds to a new field.
cheers
t.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.