Hi,
I'm forwarding logstash messages to graylog using the gelf output plugin. I would like to send the facility to graylog, which I have available as a field called 'application' in logstash.
The documentation says that using the 'facility' field is deprecated and that it "Should now be sent as an underscored "additional field" (e.g. _facility)". My question, is how do I configure logstash to send this 'additional' field? I can see references to 'additional field' in the gelf documentation, but not in logstash, so I'm not sure how to achieve this.
Things I have tried:
- Using the mutate filter, with 'add_field => {"facility" => %{application}}'.
- Using custom_fields in the output plugin 'custom_fields => {"facility": %{application}"
I have also tried replacing facility with '_facility', but graylog does not show the correct facility.
For now, I'm still using the deprecated "facility => %{application}" method, but I'd like to know the correct way to do this going forward.
Thanks,
Dan