I want to update the "tags" filed to a certain value when my "message" contains the string "Error: 18456" in it.
This is the [message] value that ends up in Kibana:
message 2019-12-26 15:07:09.53 Logon Error: 18456, Severity: 14, State: 8.
This is my filter in Logstash:
filter {
if "Error: 18456" in [message] {
mutate {
update => { "tags" => "Error - Login failed"}
}
}
}
I do not get any error when running this configuration, but the "tags" field does not get updated. Do you see a syntax or logic error in my code? Thank you!
Thank you for your reply. The "tags" field indeed exists. In other filters, I am able to update "tags" on a "if in " statement. The only difference is that the other filters go against fields other than [message]. I am wondering if there is something special about the fact that I am going against the [message] field, which is incidentally of type _doc.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.