I was trying to use the coalesce alter filter after the NAGIOSLOGLINE pattern to convert one of the three std messages back to message. And about 3/10 times the filter would fail to match on identical logs. The following would lead to "temp" being the correct string 7/10 times and the other 3 would be "Failed" when using the exact same initial message. I switched to using a conditional if with "mutate { rename" to get the desired results for now.
I was trying to use the coalesce alter filter after the NAGIOSLOGLINE pattern to convert one of the three std messages back to message. And about 3/10 times the filter would fail to match on identical logs. The following would lead to "temp" being the correct string 7/10 times and the other 3 would be "Failed" when using the exact same initial message. I switched to using a conditional if with "mutate { rename" to get the desired results for now.
grok {
patterns_dir => "/etc/logstash/patterns"
match => [ "message", "%{NAGIOSLOGLINE}" ]
overwrite => [ "message" ]
tag_on_failure => [ "Initial Nagios Match Failed" ]
}
alter {
coalesce => [ "temp", "%{nagios_check_result}", "%{nagios_comment}", "%{nagios_message}", "Failed" ]
}