Add an option to grok filter to disable the addition of the _grokparsefailure tag on unsuccessful parsing

Description

Although it's possible to do most config in a single grok block with multiple pattern, in some cases (syslog parsing for example) it would be easier to do it in multiple blocks so each affected events can be tagged appropriately.

For this reason, it would be really useful to have the option to disable grok's addition of the _grokparsefailure tag on unsuccessful parsing.

Thank in advance

Gliffy Diagrams

Activity

Show:

Philippe Weber February 6, 2013 at 9:45 AM

Merged PR https://github.com/logstash/logstash/pull/328

David G November 20, 2012 at 9:17 PM

Yes, it would be very useful to categorize and add a specific tag to messages coming from the same source type (syslog is an example). At the moment, we can do it using multiple grok filters, but it adds a lot of "_grokparsefailure" tags. These tags should only be related to errors or failures.

Fixed

Details

Assignee

Jordan Sissel

Reporter

Stephane Gauthier

Labels

filtergrok

Fix versions

1.1.10

Created November 19, 2012 at 7:53 PM

Updated April 19, 2013 at 8:20 PM

Resolved February 6, 2013 at 9:45 AM

Configure