How can I get the original raw message?
I got two outputs, the first one should log the original raw log message and the second one the whole filtered stuff.
But I can't do input -> output -> filter -> output right?
So how can I log the raw text message in my first output and my modified %{message} in the second one?
There's no obvious way. What kind of outputs do you have?
"file" for untouched raw messages and elasticsearch
Okay, that's good. As your first filter, copy the message field into a subfield of @metadata. Those fields aren't sent to ES (or other output, with a few exceptions). Then adjust the message_format option of your file output to reference the saved field.
output {
file {
...
message_format => "%{[@metadata][raw_message]}"
}
...
}This is exactly what I was looking for, awesome.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.