Hi all,
I have files stored as follows:
c: /..../ agency / device / log.txt
I want to extract the fields of agency and the device and add them to each event in the log.
Now I'm doing this using a grok filter, and it does work well for all the events in the log, but I want these fields to be added to new elapsed events created, and I'm necessarily interested in creating a new event.
This is how my log looks right now:
filter
{
grok {
match => {path => "%{GREEDYDATA}/%{GREEDYDATA:agency}/ {GREEDYDATA:device}/%{GREEDYDATA}.txt"}
}
elapsed{
start_tag => "a"
end_tag => "b"
unique_id_field => "host"
timeout => 100000
new_event_on_match => true
add_tag => "ab"
keep_start_event=>last
}
}
Is there any way to do that?
Thank you!