I am parsing our logs, and want to apply a filter only to entries where the "message" field starts with "[AUDIT]", like this:
[AUDIT] an audit entry
My filter I'm testing with looks like this:
if [message] =~ /^\[AUDIT\]/ {
mutate { add_tag => [ "test_audit" ] }
}
Now I feed in a lot of log entries with our without the [AUDIT] tag (we also have other tags), but none get the tag applied.
If I use something like if "[AUDIT]" in [message] that works, but this wouldn't be the same, as it would match the text anywhere in the message, not just at the beginning.
Matching on the beginning of other fields, e.g. our operation field, where we don't start with brackets, it works fine:
if [audit][operation] =~ /^GetData/ {
mutate { add_tag => [ "operation_getdata" ] }
}
I have tried without escaping the brackets as well, but that didn't help.
Matching without the leading caret works fine too, i.e. only having /\[AUDIT\]/ as the regex - but that again is not the same, as it matches anywhere in the message field.
I am aware that I could use a non-conditional grok filter instead to add a tag, and then later use that tag in a condition - but this would be a workaround, not a solution 
TL/DR: Matching on /\[AUDIT\]/ works, matching on /^something/ works, but matching on /^\[AUDIT\]/ does not work.