I don't understand why I have a grokparse failure for this simple config :
input {
file {
path => "/var/log/*.log"
codec => json {
}
}
}
filter {
grok {
add_tag => ["test"]
}
}
output {
elasticsearch {
/.../
}
}
The logs are correcly sent to elasticsearch, the json is correcly parsed, but the added tag don't work, instead I have a tag "_grokparsefailure". What I want is to pass a static value as a tag.
I am surely missing something dumb, but I can't find what.
Your grok filter does nothing, there is no pattern to match, the tag would only be applied after a successful match.
To add a tag in your case you can use the tags option in your input or the mutate filter.
To use the tags option just add change your input to this one:
input {
file {
path => "/var/log/*.log"
codec => json
tags => ["test"]
}
}
To use the mutate filter, put the bellow config inside your filter block.
mutate {
add_tag => ["test"]
}
Both configurations will add a test tag to all your messages.