How to apply parse failure tag only when message fails BOTH filters instead of just one?

drjosephliu · August 13, 2020, 9:23am

My logtash config has two filters: 1) parses a log message and 2) parses a JSON message:

filter {
  grok {
    match => { "message" =>
    "\[%{TIMESTAMP_ISO8601:log_time}\]\[%{LOGLEVEL:log_level}(?<space>\s*)\]\[%{DATA:thread_name}\]\[%{DATA:class_name}\]%{GREEDYDATA:log_msg}" }
  }
  json {
    source => "message"
    add_tag => ["RiskExplain"]
  }
}

At the moment, if a JSON message is logged, it'll fail the grok filter before being parsed by the json filter. Because it failed the first filter, it'll receive a _grokparsefailure tag. I'd like to remove this tag and only apply a parse failure tag if it fails BOTH filters. Is that possible?

Badger · August 13, 2020, 2:28pm

If grok fails you get a _grokparsefailure tag, if json fails you get a _jsonparsefailure tag. If both are present you can add the failure tag that you want and remove those two.

system · September 10, 2020, 2:29pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.