Can't create a field with a variable from a grok match regex

TheSmartMonkey · August 2, 2018, 3:18pm

Thanks a lot @Badger I just removed the mutate and changed the data variable because it add a field automatically don't need add_field

the correct filter:

input {
  file {
    path => "/tmp/USER_DATA/FactoryContainer/images/*/oar/oar_image_job*.stdout"
    start_position => "beginning"
    add_field => { "data_source" => "oar-image-job" }
   }
}

filter {
    grok {
        match => { "path" => [ "/tmp/USER_DATA/FactoryContainer/images/%{DATA:unique_id}/oar/oar_image_job%{DATA}.stdout" ] }
    }
  
}

output {
  if [data_source] == "oar-image-job" {
    elasticsearch {
    	index => "oar-image-job-%{+YYYY.MM.dd}"
	hosts => ["localhost:9200"]
	}
    }
}