Sorry if this is too related to my previous post, but here goes:
I have two types of messages that I want to send to logstash. One is a "standard" log type message and the other is a JSON object. I only want the message to go through the json filter only if it fails the grok filter. For some reason though, none of the json objects are being parsed, nor are they getting tagged with _grokparsefailure
either. In fact, I can't see them at all in kibana. What am I doing wrong here?
filter {
grok {
match => { "message" =>
"\[%{TIMESTAMP_ISO8601:log_time}\]\[%{LOGLEVEL:log_level}\s*\]\[%{DATA:thread_name}\]\[%{DATA:class_name}\]%{GREEDYDATA:log_msg}" }
}
if "_grokparsefailure" in [tags] {
json {
source => "message"
add_tag => ["RiskExplain"]
# remove_tag => ["_grokparsefailure"]
}
}
}