Tag with pattern used

Elastic Stack Logstash
1

Below is a basic example of what I'm using for my setup:

I have a patterns file that's defined and works correctly.

patterns %{pattern1}|%{pattern2}|%{pattern3}

My filter is similar to the following:

filter {
  if [type] == 'test' {
    grok {
      patterns_dir => '/etc/logstash/conf.d/patterns/'
      match => { "message" => "%{patterns}" }
    }
  }
}

I know I can add tags, and I know I could do a large set of conditionals to accomplish my goal, but I'm wondering if there is a dynamic way to get my filter to add tags based on which pattern is used. I'd like a tag called pattern1, pattern2, or pattern3 to show up in all of my parsed logs. Anyone have any insight on how I could go about accomplishing this?

Thanks!

2

There's no automatic way of doing this. Your best bet is probably to generate a configuration file with conditionals etc.

3

I was afraid that might be the case. I'm a little worried about the performance hit as I'm running a fairly large cluster, with a lot of different patterns. That's the only reason I didn't just implement it with a lot of conditionals yet. I'll have to do testing I guess. :confused:

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.