Hello!
I'm trying to attribute a "delivery_conn_r" tag to logs from files ending with ".results". All other files get a "delivery_conn_t" tag.
This is what's on my pipeline thus far:
if "delivery_conn" in [tags] {
if ([log][file][path] =~ "/var/log/conn/././%{UUID}\.results"){
grok {
match => {
"[log][file][path]" => "/var/log/conn/././%{UUID:message_token}\.results"
}
add_tag => [ "my_parsed_tag", "delivery_conn_r" ]
}
} else {
grok {
match => {
"[log][file][path]" => "/var/log/conn/././%{UUID:message_token}"
}
add_tag => [ "my_parsed_tag", "delivery_conn_t" ]
}
}
}
However, all logs are entering the second clause and being treated as non-.results tags. I think something might be wrong with the log.file.path syntax on my second if-clause:
if ([log][file][path] =~ "/var/log/conn/././%{UUID}\.results")
BTW I have checked that this regex should work for my filepath.
Can anyone suggest what might be wrong?