The 'tag_on_failure' attribute doesn't interpolate template variables

logstash-plugins / logstash-filter-grok

Grok plugin to parse unstructured (log) data into something structured.

https://www.elastic.co/guide/en/logstash/current/plugins-filters-grok.html

Apache License 2.0

124 stars 98 forks source link

The 'tag_on_failure' attribute doesn't interpolate template variables #75

Open hartfordfive opened 8 years ago

hartfordfive commented 8 years ago

This would be a useful feature if the tag_on_faliure attribute would interpolate dynamic template variables. For example, given a template variable type = syslog:

       grok {
          match => [
            "message", "%{SYSLOGBASE:syslog_data}\s+%{GREEDYDATA:message}"
          ]
          overwrite => [ "message" ]
          tag_on_failure => ["_grokparsefailure_%{type}"]
        }

Should tag the event with _grokparsefailure_syslog but is currently showing up as _grokparsefailure_%{type}