I need easy explanation please :slight_smile: I am a beginner in logstash I have some questions :slight_smile:
What is the tag _gorkparsefailure and it used for? if I delete this tag what will happen?
How to remove the tag multiline?
How can I make a condition from a field of my grok (condition in grok)?
What is endpoint?
grok{} is a filter used to parse larger fields (like an entire log line) into smaller fields. If your pattern doesn't match the input given, a tag of "_grokparsefailure" will be added to the event. If you delete it, you will lose the knowledge that such a failure occurred. I would suggest finding the cause of the failure and resolving that instead.
You can remove a tag with the remove_tag param available on most filters. The mutate{} filter is a common one to use for this:
mutate { remove_tag => [ "multiline" ] }
If I understand the question correctly, you can use a field that was created by grok{} in a conditional to run some other filter:
if [myField] == "myValue" { ... }
Generically, an endpoint is a destination. In the ELK world, I only see it used in the http{} input and output, which are using to describe a website as the destination.