I have F5 appliances sending multiple events, so use a split filter to separate these before parsing them.
The first grok filter I apply works, but any subsequent filters fail.
This is the working filter, with the match statement abbreviated:
filter {
F5 High Speed Logging
if [type] == "hsl_f5" {
split {
}
grok {
patterns_dir => "/opt/logstash/patterns"
match => [ "message", "....." ]
add_tag => "grokked_hsl_f5"
}
}
}
If I add a statement within the grok {} section, to add a second tag for example , it works. e.g.
grok {
patterns_dir => "/opt/logstash/patterns"
match => [ "message", "....." ]
add_tag => "grokked_hsl_f5"
add_tag => "test_tag"
}
If I try to anything to the filter outside that grok {} section it is either ignored or logstash stops processing the events at all. e.g.
F5 High Speed Logging
if [type] == "hsl_f5" {
split {
}
grok {
patterns_dir => "/opt/logstash/patterns"
match => [ "message", "....." ]
add_tag => "grokked_hsl_f5"
}
geoip {
source => "client_ip"
target => "geoip"
database => "/etc/logstash/GeoLiteCity.dat"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
mutate {
convert => [ "[geoip][coordinates]", "float"]
}
}
}
Is this a consequence of the split {} operator? Am I missing something?
Thanks