Grok filter if condition issue

Navneet_Mathpal · September 3, 2015, 2:33pm

Hi All,

how we can use if command in grok
some logs contain tag method
ex : "method" => "get" // I am able to parse the log
I want to add another field , if I am getting the log which is having tag called method
I was doing like but I am not able to do it , any idea where I am doing wrong

filter{
grok {
patterns_dir => "D:/log_file/patterns"
match => [ "message", "%{MASTER_LOG}" ]
}
if[ "method" in [tags]]
{

add_field => ["newtag", "manualtag"]

}
}

magnusbaeck · September 3, 2015, 6:04pm

This isn't a grok question, it's a general filter question. This is probably what you're looking for:

filter {
  ...
  if "method" in [tags] {
    mutate {
      add_tag => ["newtag", "manualtag"]
    }
  }
}

Navneet_Mathpal · September 4, 2015, 9:01am

@magnusbaeck Thank you Working fine ..