Get pre-filter raw message

raffis · November 2, 2015, 3:36pm

How can I get the original raw message?

I got two outputs, the first one should log the original raw log message and the second one the whole filtered stuff.
But I can't do input -> output -> filter -> output right?

So how can I log the raw text message in my first output and my modified %{message} in the second one?

magnusbaeck · November 2, 2015, 6:36pm

There's no obvious way. What kind of outputs do you have?

raffis · November 2, 2015, 8:59pm

"file" for untouched raw messages and elasticsearch

magnusbaeck · November 2, 2015, 9:12pm

Okay, that's good. As your first filter, copy the message field into a subfield of @metadata. Those fields aren't sent to ES (or other output, with a few exceptions). Then adjust the message_format option of your file output to reference the saved field.

output {
  file {
    ...
    message_format => "%{[@metadata][raw_message]}"
  }
  ...
}

raffis · November 3, 2015, 10:59am

This is exactly what I was looking for, awesome.

Topic		Replies	Views
Kibana .raw fields and "message" field Logstash	9	14007	July 6, 2017
Get back original message after grokking Logstash	8	2006	January 12, 2018
Logstash Logstash	7	304	April 29, 2021
Keep raw syslog event untampered Logstash	4	788	July 6, 2017
Remove message on filter before inserting in ES Logstash	4	6201	July 6, 2017

Get pre-filter raw message

Related topics