when using the field reference syntax, is the "resolution" of the value associated to a specific field performed by LS or it is performed at plugin level ?
for one of our specific needs we have to develop a filter plugin to resolve the full anem and group from a uidNumber.
see: https://github.com/EricDeveaud/logstash_filter_LDAPresolve
now I would like to use it in our LS pipeline
for that I have the following conf schema.
grok that consume and extract fields from the logs.
in particular grok set the field "uid" with correct value.
some mutate, date filter call and finaly I want to introduce the LDAPresolve filter
something like
filter {
grok {
patterns_dir => "/Users/edeveaud/logstash-conf/patterns"
match => {"message" => "%{GENSOFT_DATE1} %{HOST:exec_node} %{GENSOFT_JOBID}: %{NUMBER:uid:int} %{EXE_ROOT}/%{PACK:pack}/%{VERSION:version}/(%{ALPHANUMERIC}/)*%{PROG:prog} \(%{HOST:submit_host} %{DAY} %{MONTH:submit_month} +%{MONTHDAY:submit_day} %{TIME} %{YEAR:submit_year}\) \[%{ARGS:args}"}
} #end grok
}
fields are correctly reconise and extracted.
I use the field reference syntax without problem for further processing using the mutate and date filters
then
filter {
if "_grokparsefailure" not in [tags] {
LDAPresolve {
uidNumber => [uid]
host => "ldap.pasteur.fr"
userdn => "ou=utilisateurs,dc=pasteur,dc=fr"
groupdn => "ou=entites,ou=groupes,dc=pasteur,dc=fr"
cache_interval => 3600
}
} # end _groparsefailure
} # end filter
problem is that my filter plugin does not receive the correct uid number as input but receive the string "uid" and not the associated value from the event and son fails to resolve.
is logstash that resolve the field value and send the value stored to uid event field
or is it the responsability of the pluggin to get the value from given field name ?
regards
Erci