Adding new fields from grok filter in logstash

userASR · October 23, 2018, 9:59am

I have a grok filter in my logstash conf. Where I match a message and I want to add a new field "newfield" and populate value from one specific field "data1" from the message. Here is how my configuration looks like:

input {
  file {
    path => "/var/log/myapp/myapp.log"
    sincedb_path => "/var/log/logstash/.sincedb2/myapp.log"
    start_position => beginning
    type => "myapp"
  }
}
filter {
   grok {
        match => {
          "message" => "%{TIMESTAMP_ISO8601:timestamp}\s+%{LOGLEVEL:loglevel}\s+%{JAVACLASS:class}:\s+%{WORD:word1}\s+%{WORD:word2}:\s+%{WORD:word3}=%{DATA:data1}+%{GREEDYDATA:content}"
       }
    }
    mutate {
        add_field => [ "newfield", "%{data1}" ]
    }
   if ("grokparsefailure" in [tags]) { drop {} }
}
output {
  if [type] == "myapp"{
    elasticsearch {
      hosts => [{% for node in elastic_data_hosts %}"{{node}}:{{elastic_port}}"{% if not loop.last %},{% endif %}{% endfor %}]
      index => "logstash-myapp-log"
     }
  }
}

I can see the new field added on Kibana but the value is not getting assigned. Am I doing it wrong or missed anything?

system · November 20, 2018, 10:06am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash - adding new fields Logstash	3	4343	February 11, 2017
How to assign the extracted data from log file to new added fields Logstash	6	284	September 27, 2020
Logstash debugger tool shows matched for filter but new fields don't appear on Kibana Logstash	3	605	January 18, 2018
Unable to get the new field in Kibana, defined in logstash! Logstash	1	274	January 16, 2019
Unable to get the new field in Kibana! Logstash	1	337	January 16, 2019

Adding new fields from grok filter in logstash

Related topics