Add_field

Elastic Stack Logstash
1

Hi again,
i hav written following 2 pattern inside single match because i hav log files with 2 different patterns:
grok
{
match => ["message","%{BR1}%{SYSTEMDATE:timestamp}%{BR2} %{GREEDYDATA:Msg}",

                             "message","%{GREEDYDATA}process name %{GREEDYDATA:ProcessName}and process id %{NUMBER:ProcessId}"]
	}

And i have used add_field as follows:
if "process id" not in [message]
{
mutate{
add_field => ["pp"=>"%{ProcessId}"]
}
}
Here problem is that process id appears event matching with second match pattern but i want to use that process id to be added as field in the events matching the first match pattern.

But as for first match pattern there doesn't exist any process id while using add_field its value is added as string :pp=>%{ProcessId} .

So can any1 suggest how to use value from 1 match pattern to be added into event matching other match pattern ,
Thnks in advance

2

If pp is the field where you want to save the process id, why not put %{NUMBER:pp} in the grok expression and thus avoid the whole add_field thing?

3

Thnks for the reply,
But pp is a new field that i am trying to add into the event where process id doesnot exist.

basically i am trying to use process id from 1 event and adding the value of process id to other event where process id is not present!!

Ex:
-Abcd 1234 process id 20
-[22/02/16 09:59:30:811 GMT] 0000000 M TI: started.

Like above example i have 2 kind of events and have written match pattern for these as shown in my earlier post.

Now i want to use process id value i.e. 20 here to be added as new field in the second event where process id not present!!

4

Oh. Have a look at the aggregate filter. Logstash itself doesn't keep any state between events, i.e. field values for one event won't be accessible from other events.

5

Thnks again.