Logstash not adding new field tag

inuygoku · November 6, 2020, 8:56pm

I am trying to create a filter that will for event in my logs and add it to a field called "detected_event".

The filter I created is the following:

filter {
    if "Scan completed" in [logline] {
        mutate {
            add_field => { "detected_event" => "scan_completed" }
        }
    }
}

In my logs if a Scan has completed it would have the something like the following line in the logline message:

"Scan completed: 5fa2d007d1cc991ff9d90aa2 5fa2d0936e2b8d567f31b5f5"

When I added the filter and run my scans again, logstash had not added the filter I had in the filter configuration file.

My end goal here is to simply have a field I can query against instead of having to parse large log lines in kibana

elasticforme · November 6, 2020, 9:02pm

try as above to see if you have detected_event created. if it does then your matching is not working.

I might try this as well
if ([logline] =~ /Scan completed:/) {

}

elasticforme · November 6, 2020, 9:04pm

for exact matching I have used == in past

system · December 4, 2020, 9:04pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Can not add a new field using if filter and add_field Logstash	6	457	July 27, 2020
Cannot add new field from event type Logstash	3	612	November 14, 2019
Adding tags after executing ruby code filter Logstash	7	6871	July 6, 2017
Filter add_field Logstash	2	306	February 18, 2019
Adding new fields from grok filter in logstash Logstash	1	547	November 20, 2018