Hello,
I am new to logstash and struggling with custom grok.
I have a log file that has a series of bracket bound fields that I am trying to parse with kv. However, clearly I do not understand how to do this as, it is not processing my kv fields.
Here is my filter
filter {
if [type] == "my-pixi-service" {
grok {
patterns_dir => ["/etc/logstash/patterns"]
match => ["message", "%{MPS}"]
add_tag => ["mps" , "grokked" ]
}
kv {
source => "keyvalues"
field_split => "]["
remove_field => ["keyvalues"]
add_tag => ["taggedy_tag"]
}
}
}
Here is my pattern
MPS %{DATESTAMP:event_time} %{LOGLEVEL:log_level} %{GREEDYDATA:keyvalues}
The result is that is that I am getting the "keyvalues" field but, it is not executing the "kv" function. The keyvalues field is not being removed and the tag is not present.
I would greatly appreciate any assistance and guidance!