Is it possible to move all fields matched by grok to a subfield?
if [program] == "nginx-error" {
grok {
match => [ "message" , "%{NGINX_ERROR}"]
add_tag => ["nginx-error"]
}
}
I would like to move this for example to the nginx-error field in a document and not have all the matches in the document root.
I know I can edit the pattern file but this is a lot of work and was wondering if this could be done easier.