Hi!
I'd like to expand the logging to have more granular data available. However, the log format can't be updated on every instance, also in some cases, a backup restore will reset the changes. My issue is if I extend the grok pattern, it'll cause parse error for the fields not present in the current log format. Also, I would like not to rename the log itself.
Is there a way to set a conditional which won't result in a parse error?
Thank you!
YvorL
The grok filter's tag_on_failure option can be set to an empty array to avoid tagging events with _grokparsefailure.
Thank you!
I'll check it, but if I'm not mistaken, it'll only prevent showing that the parsing was unsuccessful and I still won't get the data I need from the "old" log format.
I don't understand. If you give an example it might be easier to get what you're trying to do.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.