Skip to:
I am attempting to filter through grok with named fields, then filter through a custom filter.
After grok when I call the custom filter the event seems to be the same as before grok.
I am confused on how to chain filters and maintain the changes as the event trickles through them.
I took the basic DNS filter and started with that.
The grok filter works, if I run it without the second filter for crowd I get the results I want in output.
I am attempting to filter through grok with named fields, then filter through a custom filter.
After grok when I call the custom filter the event seems to be the same as before grok.
I am confused on how to chain filters and maintain the changes as the event trickles through them.
I took the basic DNS filter and started with that.
The grok filter works, if I run it without the second filter for crowd I get the results I want in output.