I'm using add_tag and add_field and I don't see any of the fields or tags in the resulting message.
in my conf:
filter {
grok {
match => {
"message" => "%{SYSLOG5424LINE}"
add_tag => [ "boo" ]
}
}
}
filter {
dns {
reverse => ["host", "hostname"]
action => "replace"
add_field => { "foo" => "boo" }
add_tag => [ "dns" ]
}
...
the output messages have "tags":[]. All the messages successfully pass through the syslog filter. Not sure about the DNS one, since it may be using cashed entries, but each message does have the dns result. The server is restarted and picked up the config file, so I don't know what's going on.
Using logstash 5.1.1 from rpm