Add_field

Lucifer_hbp · August 23, 2016, 9:18am

Hi again,
i hav written following 2 pattern inside single match because i hav log files with 2 different patterns:
grok
{
match => ["message","%{BR1}%{SYSTEMDATE:timestamp}%{BR2} %{GREEDYDATA:Msg}",

                             "message","%{GREEDYDATA}process name %{GREEDYDATA:ProcessName}and process id %{NUMBER:ProcessId}"]
	}

And i have used add_field as follows:
if "process id" not in [message]
{
mutate{
add_field => ["pp"=>"%{ProcessId}"]
}
}
Here problem is that process id appears event matching with second match pattern but i want to use that process id to be added as field in the events matching the first match pattern.

But as for first match pattern there doesn't exist any process id while using add_field its value is added as string :pp=>%{ProcessId} .

So can any1 suggest how to use value from 1 match pattern to be added into event matching other match pattern ,
Thnks in advance

magnusbaeck · August 23, 2016, 9:43am

If pp is the field where you want to save the process id, why not put %{NUMBER:pp} in the grok expression and thus avoid the whole add_field thing?

Lucifer_hbp · August 23, 2016, 9:56am

Thnks for the reply,
But pp is a new field that i am trying to add into the event where process id doesnot exist.

basically i am trying to use process id from 1 event and adding the value of process id to other event where process id is not present!!

Ex:
-Abcd 1234 process id 20
-[22/02/16 09:59:30:811 GMT] 0000000 M TI: started.

Like above example i have 2 kind of events and have written match pattern for these as shown in my earlier post.

Now i want to use process id value i.e. 20 here to be added as new field in the second event where process id not present!!

magnusbaeck · August 23, 2016, 10:50am

Oh. Have a look at the aggregate filter. Logstash itself doesn't keep any state between events, i.e. field values for one event won't be accessible from other events.

Lucifer_hbp · August 24, 2016, 7:11am

Thnks again.