Hi!
I'd like to expand the logging to have more granular data available. However, the log format can't be updated on every instance, also in some cases, a backup restore will reset the changes. My issue is if I extend the grok pattern, it'll cause parse error for the fields not present in the current log format. Also, I would like not to rename the log itself.
Is there a way to set a conditional which won't result in a parse error?
Thank you!
YvorL
The grok filter's tag_on_failure option can be set to an empty array to avoid tagging events with _grokparsefailure.
Thank you!
I'll check it, but if I'm not mistaken, it'll only prevent showing that the parsing was unsuccessful and I still won't get the data I need from the "old" log format.
I don't understand. If you give an example it might be easier to get what you're trying to do.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.