Details
-
Type:
Bug/Feature
-
Status: Resolved (View workflow)
-
Resolution: Won't Fix
-
Affects Version/s: 1.1.13
-
Fix Version/s: None
-
Labels:
Description
I have a grok where I want to tag up events based on which host they're from, e.g.:
filter {
grok {
pattern => [ "%{SYSLOGTIMESTAMP} myservice-prod-role" ]
add_tag => [ "myservice" ]
}
}
However, since logstash reads log from multiple hosts that grok will
fail, but I don't want the event to be tagged as "_grokparsefailure".
And sure I can have this just after my grok:
mutate {
tags => [ "myservice", "_grokparsefailure" ]
remove_tag => [ "_grokparsefailure" ]
}
But I'd rather just write (without the mutate):
grok {
pattern => [ "%{SYSLOGTIMESTAMP} myservice-prod-role" ]
add_tag => [ "myservice" ]
tag_on_failure => false
}
but that adds a tag called "false"... = )
According to devOpsEv on IRC this worked in 1.1.10 but changed and I
suspect it's on this commit https://github.com/logstash/logstash/commit/f0196dbdc0c9578fd51e8da193b8fe17189a160c
Not sure how to support both an array and a bool so I just did a
bugreport.
In summary:
Ideally, both tag_on_failure => false and {{tag_on_failure => [
"tagz" ]}} should work.
Br,
- Simon
