Is there any problem with defining a custom expression in the already existing pattern file that I believe is read here in version 7.2:
/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-patterns-core-4.1.2/patterns/grok-patterns
I wouldn't think so, but assuming before has nailed me.
Thanks for everyone's help as always.
That could get overwritten during an upgrade or re-install, and I do not see any benefit from doing so. Why not create /usr/share/logstash/patterns and add a file containing the pattern there?
Good point. Honestly, there are so many moving parts I was hoping to minimize customization, but you are correct.
That requires the use of the patterns_dir setting correct?
Not in recent versions. It looks in that directory by default
[2019-09-09T21:07:03,079][DEBUG][logstash.filters.grok ] Grok patterns path {:paths=>["/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-patterns-core-4.1.2/patterns", "/usr/share/logstash/patterns/*"]}
WHAT! Why does no one tell me these things. That is perfect! Thanks Badger. Exactly what I was looking for.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.