I have the following code in my filter. The construct, if ... else if ... else are described by Logstash documentation as being valid yet /var/log/logstash/logstash-plain.log records this error message.
filter
{
if [source] =~ "debug"
{
dissect
{
mapping =>
{
"message" => "[%{ignore}] %{acme.date} %{acme.time} - REST: Path: %{acme.restpath}"
}
}
if "_dissectfailure" in [tags]
{
dissect
{
mapping =>
{
"message" => "[%{ignore}] %{acme.date} %{acme.time} - REST: Request length: %{acme.requestlength}"
}
}
}
else **** the error is issued for this else ****
{
# Now that the new, split-out fields are created, we don't need
# to keep 'message' any longer:
remove_field => [ "message "]
}
}
}
First, if [source] =~ "debug" will be matching strings like "/var/log/acme/debug.log". I'm handling piles of logs on many different paths, but some log-types, like our own debug.log, are predictable and can be filtered the same. So, yeah, regular expression matching was my intention. (Took me a long time before figuring out that these filters were Ruby-esque; wish Elastic documentation had said that up front.)
(The error was in /var/log/logstash/logstash-plain.log and contained the text of this issue's subject along with much of the code originally posted.)
I'll look into add_tag.
Second, and this goes for add_tag too, your comment is welcome. I simply had never thought that remove_field must be embedded in a filter because, here I thought, I am embedding it in a filter--my filter, that starts out with the keyword filter. I am armed with new understanding!
Most of Elastic's and even others' examples of filter writing are short, succinct and I struggle to connect the dots between the features.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.