I am rewriting a field using translate. Here is the config:
translate {
add_tag => [ "monitoring" ]
field => "container"
regex => true
exact => true
dictionary => [ 'sensu-client-*', "sensu-client",
.....
]
destination => "container"
This doesn't seem to add a tag:
{
"container" => "sensu-client",
"path" => "/var/log/containers/sensu-client-359_monitoring_sensu-client-072d54908c9d243d1f1e51e9a4dfc122e0e3961e5289930c6cf7004383d36a67.log",
"@timestamp" => 2017-04-04T02:48:26.305Z,
"@version" => "1",
"host" => "jessie",
"message" => "blahblah"
}
However, when I tell the filter to change the destination to a diffferently-named field, it works:
translate {
add_tag => [ "monitoring" ]
field => "container"
regex => true
exact => true
dictionary => [ 'sensu-client-*', "sensu-client",
.....
]
destination => "container2"
Gives this:
{
"container" => "sensu-client",
"path" => "/var/log/containers/sensu-client-359_monitoring_sensu-client-072d54908c9d243d1f1e51e9a4dfc122e0e3961e5289930c6cf7004383d36a67.log",
"@timestamp" => 2017-04-04T02:59:22.310Z,
"@version" => "1",
"host" => "jessie",
"container2" => "sensu-client",
"message" => "blahblah",
"tags" => [
[0] "monitoring"
]
}
This doesn't seem like the correct behaviour, does anyone have any idea if this is what is expected?
Thanks in advance.