Hi,
is this possible in logstash to change message match field to other name ?
I mean I have input and filter section in logstash pipeline as follow:
input {
udp {
host => "0.0.0.0"
port => 895
}
}
filter {
grok {
match => {'message' => ' <here are parsed fields> {GREEDYDATA:message}'}
}
}
Can i change message to any other value like event or raw_log ? When i change this value to event i got _grokparsefailure
Thanks in advance.
Read on Logstash filter plugins:
Most relevant for you is the mutate plugin: Mutate filter plugin | Logstash Plugins
The mutate filter allows you to perform general mutations on fields. You can rename, replace, and modify fields in your events.
Example
mutate {
rename => {"shortHostname" => "hostname"}
}
Note that the message field is usually a text field and you would have to add a new mapping setting your new custom field to text for it to be searchable like mesage
Yes, you can do:
grok {
match => {'anyotherfield' => ' <here are parsed fields> %{GREEDYDATA:message}'}
}
For instance, you can: match => {'[event][original]' => ' <here are parsed fields> %{GREEDYDATA:message}'}
If you use 'message' => '...parsed fields... %{GREEDYDATA:message}' then you will get an array [message][0]=old_(orginal)_data and [message][1]=message_from_greedydata. In that case, to avoid, you can use overwrite the message.
grok {
match => { "message" => "%{something} %{GREEDYDATA:message}" }
overwrite => [ "message" ]
}
As Mike said, you can of course use rename at any time.
In you have further questions, feel free to ask.
This solution work for me.
Thanks a lot
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.