Hi,
I want to add tags to my incoming logs. Below is the snippet of the log-
10.100.213.171 Jul 25 22:02:42 x86-hw user.info Cmog: 4884:UpgradeActor D {[4 04:01:52] DbUtil.cpp:805}[-4052732736]::[StartIcsClient]::domain=0 server=GRdbSvr
I want to tag this snippet of log as Upgrade. How should I go ahead?
What filters do you currently have?
filter{
grok{
match => ['message', '%{IP:NodeIP} %{SYSLOGTIMESTAMP:@timestamp} %{DATA:Arch} %{DATA:Server}: %{DATA:Junk} %{WORD:Info} %{GREEDYDATA:log_message}']
break_on_match => false
}
grok {
match => ['message', '...ZTR..']
add_tag => 'ztr'
break_on_match => false
}
grok {
match => ['message', '..Workaround..']
add_tag => 'workaround'
break_on_match => true
}
}
Can someone please help me out on this? I am stuck.
Please show an example event that isn't correctly processed. Use a stdout { codec => rubydebug } output so we can see a raw dump of the event after Logstash has processed it.
It gives me _grokparsefailure tag if there is no matching word. I want to leave it untagged if nothing matches. What should I do?
Set the tag_on_failure option to an empty array.
Awesome! Thank you so much!
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.