Our EFK stack is receiving logs from several different kubernetes containers and other sources that use differing log patterns. I have created a dissect processor that can extract certain fields from the message field. But I need a different grok pattern for each kind of container. I decided to use a condition, like so:
processors:
- dissect:
when:
contains:
container.name: "jobmon"
tokenizer: "%{LOGLEVEL:log.level}:%{GREEDYDATA:package}:%{GREEDYDATA:details}"
field: "message"
target_prefix: "python"
But I get yaml parse errors on the "when" condition. It works without the when clause.
This is using elasticsearch 7.8
Is this possible? Is there a better way?
Thanks
Geoff