I have a grok filter in my logstash conf. Where I match a message and I want to add a new field "newfield" and populate value from one specific field "data1" from the message. Here is how my configuration looks like:
input {
file {
path => "/var/log/myapp/myapp.log"
sincedb_path => "/var/log/logstash/.sincedb2/myapp.log"
start_position => beginning
type => "myapp"
}
}
filter {
grok {
match => {
"message" => "%{TIMESTAMP_ISO8601:timestamp}\s+%{LOGLEVEL:loglevel}\s+%{JAVACLASS:class}:\s+%{WORD:word1}\s+%{WORD:word2}:\s+%{WORD:word3}=%{DATA:data1}+%{GREEDYDATA:content}"
}
}
mutate {
add_field => [ "newfield", "%{data1}" ]
}
if ("grokparsefailure" in [tags]) { drop {} }
}
output {
if [type] == "myapp"{
elasticsearch {
hosts => [{% for node in elastic_data_hosts %}"{{node}}:{{elastic_port}}"{% if not loop.last %},{% endif %}{% endfor %}]
index => "logstash-myapp-log"
}
}
}
I can see the new field added on Kibana but the value is not getting assigned. Am I doing it wrong or missed anything?