Hi!
I have a log with several fields. From those, I have one quoted string which needs to be matched against a regular expression pattern (case insensitive) and depending on the result I need to add a new field while keeping the original one too. The pattern is rather long (more than 500 chars) and most likely will grow over time. I'd like to keep the Logstash configuration file as readable and simple as possible.
As far as I got, I can't do that simply using a custom grok pattern because it can't be set to case insensitive. The best solution I got is ... more like a hack than a real solution. Is there any way I can make it more elegant?
grok { match => [ "message", "... %{QS:foo} ..." ] }
mutate { add_field => [ "foo_tomatch", "%{foo}" ] }
mutate { lowercase => [ "foo_tomatch" ] }
grok {
patterns_dir => ["./patterns"] }
match => [ "foo_tomatch", "%{MYPATTERN:foo_new}" ]
}
if [foo_new] {
mutate { replace => { "foo_new" => "true" } }
} else {
mutate { replace => { "foo_new" => "false" } }
}
mutate { remove_field => [ "foo_tomatch" ] }
Thank you!