We started using logstash not long ago and the number of rules is growing quite quickly.
Which makes it difficult to know which rule is applied to each message in elasticsearch.
Is there a standard or easy way to know which rule was applied to a certain log/elasticsearch document by logstash?
I was thinking of adding a field to the document when parsing it like the following:
add_field => [ "logstash_rule", "XXXXX" ]
In this way, it would be very easy to identify what rule is being applied.
But I'm not sure if that's a good strategy or not, and maybe there are better strategies out there.
thanks, I started doing it and it definitively helps when developing new rules.
I also thought it could give me some numbers on which rules are used or not used.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.