Hi,
I'm trying to reference a value from a new field that was added with mutate plugin. I try to reference it within a grok match settings.
Part of the filter pipeline looks like:
filter {
mutate {
add_field => {
"field_1" => "aws"
"field_2" => "test"
"field_3" => "%{container_name}"
}
}
if [field_1] and [field_2] and [field_3] != "" {
grok {
match => [ "log", "(\w{3}\s\d{2}\s\d{2}:\d{2}:\d{2})\s([^\s]+)\s(somestring\.)[field_1].*"]
}
}
}
output { stdout {} }
I have tried to reference a field with following options:
match => [ "log", "(\w{3}\s\d{2}\s\d{2}:\d{2}:\d{2})\s([^\s]+)\s(somestring\.)[field_1].*"]
match => [ "log", "(\w{3}\s\d{2}\s\d{2}:\d{2}:\d{2})\s([^\s]+)\s(somestring\.)[[field_1]].*"]
match => [ "log", "(\w{3}\s\d{2}\s\d{2}:\d{2}:\d{2})\s([^\s]+)\s(somestring\.)%{field_1}.*"]
match => [ "log", "(\w{3}\s\d{2}\s\d{2}:\d{2}:\d{2})\s([^\s]+)\s(somestring\.)%{[field_1]}.*"]
match => [ "log", "(\w{3}\s\d{2}\s\d{2}:\d{2}:\d{2})\s([^\s]+)\s(somestring\.)[field_1].*"]
match => [ "log", "(\w{3}\s\d{2}\s\d{2}:\d{2}:\d{2})\s([^\s]+)\s(somestring\.)([field_1].*)"]
Can anyone help and suggest how else I can try to reference a new added field value through match setting in grok filter plugin?
Thanks