Newbie mutate filter failure

mhooper · 2017-01-13 17:16:35 UTC

t source /mnt/logs/core1ui1/Log_2017-01-13-12.log

My message gets inserted as above. I would like to add a tag (or a field) that tells me that source contained core1ui1. My current filter is as below but I have got neither a tag (nor a field) when it executes.

if [ source ] =~ /core1ui1/ {
mutate {
add_tag => [ "WebService" ]
#add_field => { "service" => "WebService" }
}
}
thank you

magnusbaeck · 2017-01-16 07:15:28 UTC

if [ source ] =~ /core1ui1/ {

Unless your field name really has leading and trailing space make this:

if [source] =~ /core1ui1/ {

mhooper · 2017-01-17 16:01:40 UTC

thank you, that was the problem. much appreciated.

system · 2017-02-14 16:01:46 UTC

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.