Is there a way to specify a pattern to a specific file? For example I have a filter working for all byte_count files. I want to add more filters for other files. How would I do this to match the file and pattern combination properly?
This is my current filter:
filter {
grok {
match => { "message" => "%{NUMBER:ts}%{SPACE}%{NUMBER:ts_delta}%{SPACE}%{IP:orig_h}%{SPACE}%{INT:unique_hosts}%{SPACE}%{INT:flows}%{SPACE}%{INT:bytes}%{SPACE}%{INT:flow_avg}%{SPACE}%{INT:host_avg}" }
}
}
Assuming your input adds the file name to the event (for example, the file input adds a path field to the event) you could use a conditional to decide whether to apply the filter.
Ok that gives me a better idea after reading that but how would i compare my "byte_count" file to?
if path == byte_count{}?
If you want to test whether byte_count is part of the name you could use
if "byte_count" in [path] { ... }
Or you could do a regexp comparison
if [path] =~ /byte_count/ { ... }Ah that makes sense, thank you!
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.