Grok match and move all to subfield

vincentvm · September 9, 2019, 8:45am

Is it possible to move all fields matched by grok to a subfield?

if [program] == "nginx-error" {
 grok {
   match => [ "message" , "%{NGINX_ERROR}"]
   add_tag => ["nginx-error"]
 }
}

I would like to move this for example to the nginx-error field in a document and not have all the matches in the document root.

I know I can edit the pattern file but this is a lot of work and was wondering if this could be done easier.

system · October 7, 2019, 8:45am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How can i parse one field further into different fields in another grok pattern? Logstash	3	1802	July 6, 2017
Grok rewrite field value if matches string Logstash	2	943	December 21, 2016
Logstash - adding new fields Logstash	3	4343	February 11, 2017
How does logstash match? Logstash	5	286	January 3, 2023
Logstash Multiple Grok Add Field Logstash	3	1008	August 24, 2018