Does it go directly to the mutate/rename portion every time? Or does it rename the field, but just doesn't drop the record?
I had problems getting the "_grokparsefailure" in [tags] line to work in the past. But since the field only existed if there was a grokparsefailure, I changed it to read:
if ![tags] {
mutate {...}
}
It basically says "If the field doesn't exist, then go on and run the mutate command". For your case, remove the exclamation mark so that it runs when the field exists.
If that still doesn't work, start going piece by piece until you find the area that doesn't match but should. For example, remove the message portion and just have the [tags] portion. Does it work then? If so then remove the [tags] portion and just run the message portions. Does it work then?
[quote="bhatch, post:3, topic:47591"]
Does it go directly to the mutate/rename portion every time? Or does it rename the field, but just doesn't drop the record?
[/quote] It does'nt drops the value and YES it directly goes to Mutate and renames.
[quote="bhatch, post:3, topic:47591"]
It basically says "If the field doesn't exist, then go on and run the mutate command". For your case, remove the exclamation mark so that it runs when the field exists.
If that still doesn't work, start going piece by piece until you find the area that doesn't match but should. For example, remove the message portion and just have the [tags] portion. Does it work then? If so then remove the [tags] portion and just run the message portions. Does it work then?
[/quote]I will give a try
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.