So, this works:
filter {
if [type] == "test" {
grok {
match => { "message" => "%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:loglevel}%{SPACE}%{NOTSPACE:
classname}%{SPACE}%{NOTSPACE:pool} - %{GREEDYDATA:logmsg}" }
}
if !("_grokparsefailure" in [tags]) {
mutate {
remove_field => ["message"]
}
}
}
}
But if I change the "if" line to
if [type] == "test" or [type] == "nis" {
It no longer works.
I also tried
if ([type == "test") or ([type] == "nis") {
and still nothing.
Does and/or not work? Should I use && or || ?
I also tried
if [type] in ["test", "nis"] {
and it fails in the same way.
If I go back to the working version and use two completely separate "if [type] == ", then it works.
The failure mode seems to generate a lot of ""Lumberjack input: the pipeline is blocked, temporary refusing new connection"
And it looks like nothing is actually getting through to elastic search.
Bob