Hello everyone,
I have logstash's problème on TAG.
I have this filter in conf : `filter {
if "kibana" in [message] { drop { } }
grok {
match => ["message", "%{SYSLOGTIMESTAMP:log_timestamp} %{GREEDYDATA:message}"]
overwrite => [ "message" ]
add_tag => [ "grokked" ]
}
date {
match => [ "log_timestamp", "MMM dd HH:mm:ss", "MMM dd HH:mm:ss" ]
target => "log_timestamp"
}
mutate {
rename => { "log_timestamp" => "timelog" }
rename => { " log_timestamp_ISO8601" => "timelog" }
}
if "_grokparsefailure" in [tags] {
mutate {
remove_tag => [ "_grokparsefailure" ]
add_tag => [ "grokked2" ]
}
}
}
`
The problem is that the logs pass the grok well since they have the tag "grokked", but he have "_grokparsefailure " tag too.
How can I proceed please? Thank you !