Grok match and move all to subfield

vincentvm · September 9, 2019, 8:45am

Is it possible to move all fields matched by grok to a subfield?

if [program] == "nginx-error" {
 grok {
   match => [ "message" , "%{NGINX_ERROR}"]
   add_tag => ["nginx-error"]
 }
}

I would like to move this for example to the nginx-error field in a document and not have all the matches in the document root.

I know I can edit the pattern file but this is a lot of work and was wondering if this could be done easier.

system · October 7, 2019, 8:45am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Pattern Matching Logstash	8	1152	April 5, 2017
How to rename fields Logstash	4	2369	September 12, 2017
How can i parse one field further into different fields in another grok pattern? Logstash	3	1803	July 6, 2017
Parsing a message after the pattern Logstash	4	453	March 30, 2017
Grok rewrite field value if matches string Logstash	2	943	December 21, 2016