Optional field in dissect plugin

I have a dissect plugin in my filter section of the pipeline as follows:

   dissect {
   	       mapping => {
       	       "message" => "%{ts} %{+ts} %{+ts} %{host} %{prog}[%{pid}]: %{message}"
       }
   }

The pid element is not always present. Is there any way of indicating that an extraction element is optional? The only other option that I can think of is combine prog and pid into a field and run grok on the field. I am thinking that will be faster than using just grok for the entire message pattern. Please suggest.

1 Like

You can combine the two fields and then use a conditional with another dissect filter.

if [prog] =~ /\]:\z/ {
  dissect {
    mapping => { "[prog]" => "%{prog}[%{pid}]:%{}" }
  }
}

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.