Given that I have the following grok
filter {
grok { match => { "my_abc" => "Duration: %{NUMBER:duration}" } }
}
Will grok fail if the my_abc field does not exist in the message?
Would it be necessary to check for field existence first as in
filter {
if [my_abc] {
grok { match => { "my_abc" => "Duration: %{NUMBER:duration}" } }
}
}
Thanks
Easy enough to test, right?
$ echo '' | /opt/logstash/bin/logstash -e 'filter { grok { match => { "does not exist" => "does not match" } } }'
Settings: Default pipeline workers: 8
Pipeline main started
{
"message" => "",
"@version" => "1",
"@timestamp" => "2016-08-18T17:34:39.876Z",
"type" => "stdin",
"host" => "bertie",
"tags" => [
[0] "_grokparsefailure"
]
}
Pipeline main has been shutdown
stopping pipeline {:id=>"main"}
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.