Hello 
Could someone please let me know why my below filter using dissect doesn't work? I tried using the "_dissectfailure" option to parse logs when the first dissect filter fails and returns this tag but it doesn't seem to work :-
filter
{
dissect
{
mapping => {"message" => "%{time}|%{thread}|%{rest} ,%{bleh1}all %{bleh2} ..."}
}
if "_dissectfailure" in [ tags ]
{
dissect
{
mapping => {"message" => "%{time}|%{thread}|%{rest}all %{bleh1}......"}
}
}
This filter does work when the log lines match the first message but fails when it matches the second. I am new to logstash and as per my understanding the second dissect filter should have worked on this as the first one failed and returns a "_dissectfailure" tag , please correct me if I am wrong