filter {
mutate {
add_field => {
"message" => "%{global_stats},%{num_rows}"
}

remove_field => ["oldfield1", "oldfield"]

}

grok {

add_tag => [ "valid" ]

match => [ "message" , "^YES,[123456789]+$"]

#}
grok {

add_field => {

"message" => "%{global_stats},%{num_rows}"

#}
match => [ "message" , "^YES,[123456789]+$" ]
tag_on_failure => ["failed records"]
add_tag => ["parsed"]
}
#grok {

match => [ "num_rows", "^[123456789]+$" ]

tag_on_failure => ["failed records"]

#}
}

Please format your configuration as preformatted text. There's a toolbar button for it.

Do you have more configuration than this? What does a line of input look like?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.