Is it possible to use grok to match multiple fields using regex?
I have the metrics filter generating logs. Fields are generated per host and look like event.$HOST.count
At this point I'm trying
match => [ "event\.%{DATA}\.count", "0" ]
add_tag => "inactive"
Configtest shows no errors, however I cannot see anything generated here. Totally understand if this isn't possible.
match => [ "event\.%{DATA}\.count", "0" ] add_tag => "inactive"
Is this snippet from the grok filter? What is it supposed to mean? The match parameter of a grok filter should point to an array (or hash, I suppose) where the first element (or hash key) is a field name to match against and the second value (or hash value) is the grok expression. So,
match => ["message", "event\.%{DATA}\.count"]
makes sense (although nothing it captured) but what you have above doesn't.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.