You're checking for fields in tags
, but tags
is just a normal field on the event. What you want is:
if [bar] {
# ...
}
質問
Given the following logstash configuration:
input { stdin {}
}
filter {
grok {
match => ["message", "foo (?<bar>.*)",
"message", "quux (?<stuff>.*)"
]
}
if "bar" in [tags] {
mutate {
add_field => { "had_bar" => "yup"}
}
}
}
output { stdout { codec => rubydebug } }
I would expect a message starting with "foo "
to get the field had_bar
added to my event. However, when I try it:
* bin/logstash -f simple.conf
Picked up JAVA_TOOL_OPTIONS: -Xmx1G
foo bar quux
{
"message" => "foo bar quux",
"@version" => "1",
"@timestamp" => "2014-05-14T09:46:15.498Z",
"host" => "my-dev-machine.com",
"bar" => "bar quux"
}
What have I done wrong? I'm aware that grok also provides an add_field
option, but I only want to add the field when I encounter the first pattern.
解決
You're checking for fields in tags
, but tags
is just a normal field on the event. What you want is:
if [bar] {
# ...
}