My logtash config has two filters: 1) parses a log message and 2) parses a JSON message:
filter {
grok {
match => { "message" =>
"\[%{TIMESTAMP_ISO8601:log_time}\]\[%{LOGLEVEL:log_level}(?<space>\s*)\]\[%{DATA:thread_name}\]\[%{DATA:class_name}\]%{GREEDYDATA:log_msg}" }
}
json {
source => "message"
add_tag => ["RiskExplain"]
}
}
At the moment, if a JSON message is logged, it'll fail the grok filter before being parsed by the json filter. Because it failed the first filter, it'll receive a _grokparsefailure
tag. I'd like to remove this tag and only apply a parse failure tag if it fails BOTH filters. Is that possible?