-
Notifications
You must be signed in to change notification settings - Fork 24
Additional Commands
8naama edited this page Jun 7, 2022
·
15 revisions
The onSuccess command works if the processor parsed successfully. It allows performing further processing.
onSuccess should be an array under the config of the processor or statement.
{
"steps": [{
<processor or statement>,
"onSuccess": [
{
<processor or statement>
}
]
}]
}
{
"steps": [
{
"grok": {
"config": {
"field": "message",
"patterns": [
"^%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:logLevel} %{GREEDYDATA:logMessage}$"
]
},
"onSuccess": [
{
"addTag": {
"config": {
"tags": [
"grok_parsing_works"
]
}
}
}
]
}
}
]
}
The onFailure command works if the processor failed to parse. It allows performing further processing.
onFailure should be an array under the config of the processor or statement.
{
"steps": [{
<processor or statement>,
"onFailure": [
{
<processor or statement>
}
]
}]
}
{
"steps": [
{
"grok": {
"config": {
"field": "message",
"patterns": [
"^%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:logLevel} %{GREEDYDATA:logMessage}$"
]
},
"onFailure": [
{
"addTag": {
"config": {
"tags": [
"failed_to_parse_grok"
]
}
}
}
]
}
}
]
}
Sometimes the timestamp field is missing info (such as year), so the date processor can't parse it correctly. In order to add that missing info, you can use dateTemplate to add relevant info from the date value at the moment, to the log.
{
"steps": [
{
"addField": {
"config": {
"path": "timestamp",
"value": "{{#dateTemplate}}yyyy{{/dateTemplate}} {{timestamp}}"
}
}
}
]
}
- false - (default) The pipeline will continue through the steps even if there is a processor failure.
- true - The pipeline will stop processing at the first processor that has a failure.
{
"steps":[
{<processor or statement>},
{<processor or statement>},
{<processor or statement>}
],
"stopOnFailure":true
}
- Home
-
Pipelines
-
Processors
- Add Field Processor
- Add Tag Processor
- AhoCorasick Processor
- Anonymize Processor
- Append List Processor
- Arrays Intersect Processor
- Base64 Decode Processor
- Convert Processor
- CSV Processor
- Date Processor
- Drop Processor
- External Mapping Source Processor
- GeoIP Processor
- Grok Processor
- JSON Processor
- Key Value Processor
- LowerCase Processor
- Math Processor
- Remove Field Processor
- Remove Tag Processor
- Rename Field Processor
- Split Processor
- Strip Processor
- Substitue Processor
- Substring Processor
- Translate Processor
- UpperCase Processor
- User Agent Processor
- URL Decode Processor
- XML Processor
- DeDot Processor
- Doc Size Processor
- If statement
- Additional Commands
-
Processors