We started using logstash not long ago and the number of rules is growing quite quickly.
Which makes it difficult to know which rule is applied to each message in elasticsearch.
Is there a standard or easy way to know which rule was applied to a certain log/elasticsearch document by logstash?
I was thinking of adding a field to the document when parsing it like the following:
add_field => [ "logstash_rule", "XXXXX" ]
In this way, it would be very easy to identify what rule is being applied.
But I'm not sure if that's a good strategy or not, and maybe there are better strategies out there.