Adding tags to logs


(Ashvita) #1

Hi,
I want to add tags to my incoming logs. Below is the snippet of the log-
10.100.213.171 Jul 25 22:02:42 x86-hw user.info Cmog: 4884:UpgradeActor D {[4 04:01:52] DbUtil.cpp:805}[-4052732736]::[StartIcsClient]::domain=0 server=GRdbSvr

I want to tag this snippet of log as Upgrade. How should I go ahead?


(Magnus Bäck) #2

What filters do you currently have?


(Ashvita) #3

filter{
grok{
match => ['message', '%{IP:NodeIP} %{SYSLOGTIMESTAMP:@timestamp} %{DATA:Arch} %{DATA:Server}: %{DATA:Junk} %{WORD:Info} %{GREEDYDATA:log_message}']
break_on_match => false
}

    grok {
            match => ['message', '...ZTR..']
            add_tag => 'ztr'
            break_on_match => false

}

    grok {
            match => ['message', '..Workaround..']
            add_tag => 'workaround'
            break_on_match => true
    }

}


(Ashvita) #4

Can someone please help me out on this? I am stuck.


(Magnus Bäck) #5

Please show an example event that isn't correctly processed. Use a stdout { codec => rubydebug } output so we can see a raw dump of the event after Logstash has processed it.


(Ashvita) #6

It gives me _grokparsefailure tag if there is no matching word. I want to leave it untagged if nothing matches. What should I do?


(Magnus Bäck) #7

Set the tag_on_failure option to an empty array.


(Ashvita) #8

Awesome! Thank you so much!


(system) #9

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.