Tag with pattern used

lask001 · April 10, 2017, 8:27pm

Below is a basic example of what I'm using for my setup:

I have a patterns file that's defined and works correctly.

patterns %{pattern1}|%{pattern2}|%{pattern3}

My filter is similar to the following:

filter {
  if [type] == 'test' {
    grok {
      patterns_dir => '/etc/logstash/conf.d/patterns/'
      match => { "message" => "%{patterns}" }
    }
  }
}

I know I can add tags, and I know I could do a large set of conditionals to accomplish my goal, but I'm wondering if there is a dynamic way to get my filter to add tags based on which pattern is used. I'd like a tag called pattern1, pattern2, or pattern3 to show up in all of my parsed logs. Anyone have any insight on how I could go about accomplishing this?

Thanks!

magnusbaeck · April 11, 2017, 5:15am

There's no automatic way of doing this. Your best bet is probably to generate a configuration file with conditionals etc.

lask001 · April 11, 2017, 6:08am

I was afraid that might be the case. I'm a little worried about the performance hit as I'm running a fairly large cluster, with a lot of different patterns. That's the only reason I didn't just implement it with a lot of conditionals yet. I'll have to do testing I guess.

system · May 9, 2017, 6:19am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Conditional grok Logstash	8	33055	July 6, 2017
Can I use pattern in Logstash output plugin Logstash	13	277	February 7, 2023
Grok filter if condition issue Logstash	3	2385	July 6, 2017
Is GROK parsing automatically assigning a _grokparsefailure to tags field if it does not match a pattern? Logstash	3	366	August 12, 2019
Specify a grok pattern to specific files? Logstash	5	353	September 12, 2019

Tag with pattern used

Related topics