skYl1r
commented
4 years ago did you try the reserve_data option like this :
<source>
@type dummy
dummy {"log":"Hello World"}
tag k8s
</source>
<filter **>
@type parser
key_name log
reserve_data
<parse>
@type grok
<grok>
pattern %{WORD:first} %{WORD:second}
</grok>
</parse>
</filter>
<match **>
@type stdout
</match>and for the output i get my log field back with the 2 extra parsed fields :
2020-04-10 23:23:54.080234828 +0100 k8s: {"log":"Hello World","first":"Hello","second":"World"}
2020-04-10 23:23:55.082111403 +0100 k8s: {"log":"Hello World","first":"Hello","second":"World"}
2020-04-10 23:23:56.084184600 +0100 k8s: {"log":"Hello World","first":"Hello","second":"World"}
2020-04-10 23:23:57.086278249 +0100 k8s: {"log":"Hello World","first":"Hello","second":"World"}
2020-04-10 23:23:58.088189665 +0100 k8s: {"log":"Hello World","first":"Hello","second":"World"}
2020-04-10 23:23:59.090136893 +0100 k8s: {"log":"Hello World","first":"Hello","second":"World"}
2020-04-10 23:24:00.092102009 +0100 k8s: {"log":"Hello World","first":"Hello","second":"World"}
2020-04-10 23:24:01.093986879 +0100 k8s: {"log":"Hello World","first":"Hello","second":"World"}
cosmo0920
I am using the grok plugin. I found that the message field will disappear after the parsing succeeds. How can I configure it to keep it?