t source /mnt/logs/core1ui1/Log_2017-01-13-12.log
My message gets inserted as above. I would like to add a tag (or a field) that tells me that source contained core1ui1. My current filter is as below but I have got neither a tag (nor a field) when it executes.
if [ source ] =~ /core1ui1/ {
mutate {
add_tag => [ "WebService" ]
#add_field => { "service" => "WebService" }
}
}
thank you
if [ source ] =~ /core1ui1/ {
Unless your field name really has leading and trailing space make this:
if [source] =~ /core1ui1/ {
thank you, that was the problem. much appreciated.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.