We're updating the issue view to help you get more done. 

filter chaining question

Description

I am attempting to filter through grok with named fields, then filter through a custom filter.

After grok when I call the custom filter the event seems to be the same as before grok.

I am confused on how to chain filters and maintain the changes as the event trickles through them.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 input { stdin { type => "stash-auth" } } filter { if "stash-auth" in [type] { grok { patterns_dir => "patterns" pattern => "%{STASH_CAPTCHA}" add_tag => ["stash-captcha"] } #event being passed to next block is still same as before grok if "stash-captcha" in [tags] { mutate { add_field => { "userName" => "%{user1}" } } crowd { crowdURL => "https://crowd/rest/usermanagement/1/user?username=" timeout => 2 } } } } output { stdout { codec => rubydebug } }

I took the basic DNS filter and started with that.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 class LogStash::Filters::Crowd < LogStash::Filters::Base config_name "crowd" milestone 1 # Lookup email address of username. #config :userName, :validate => :string # Determine what action to do: append or replace the values in the field # specified under "username" config :action, :validate => [ "append", "replace" ], :default => "append" # Atlassian Crowd REST API URL config :crowdURL, :validate => :string # RestClient timeout config :timeout, :validate => :number, :default => 2 public def register require "json" require "rest_client" @resource = RestClient::Resource.new(@crowdURL, :user => "secret", :password => "secret", :timeout => @timeout, :accept => 'application/json') end # def register public def filter(event) puts event[userName] # <--- NOTHING prints here puts event.inspect # <--- The original message from before grok prints here return unless filter?(event) @response = @resource[event[userName]].get # <--- undefined local variable or method `userName' @responseHash = JSON.parse(@response) @email = @responseHash["email"] filter_matched(event) end end # class LogStash::Filters::Crowd

The grok filter works, if I run it without the second filter for crowd I get the results I want in output.

Environment

None

Status

Assignee

Logstash Developers

Reporter

Zachary Buckholz

Priority