how to use clone filter correctly?

[_asp_]

Hi,

i want to clone a event with logstash's clone filter. But it does not work. I only see the original event.

Here is my filter configuration:

Code: Select all

if [LogFile] == '1.log' 
{
	grok 
	{
		match => [ 'message','(?<logTime>\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}),\d*\s- activeVehicle=\d+\s+MsgCount\/Hour=\d+\.\d+\s*(?<keyValuePart>.*)']
    }
	
	# parse the date to @timestamp
	date {
        match => ['logTime', 'YYYY-MM-dd HH:mm:ss']
        timezone => "Europe/Berlin"
        remove_field => ['logTime']
    }
	
	
	# clone the event
	clone
	{
		add_tag => [ "cloned" ]
	}

}

What is wrong here?
The problem is that the event is not cloned.

As first step I wanted to clone the event completely and add a tag to the clone.
Next steps would be to add / remove fileds to / from the clone. But step 1 is not working.

Thanks, Andreas

[hsmith]

Let's get the clone filter working before we look in to this too much further.

Here's what I did initially:

Code: Select all

if [type] == 'syslog' {
      clone {
     add_tag => [ "cloned" ]
   }
}

This did not clone anything. Not fully understanding the clone filter, I thought it would work, but I was wrong.

Next thing I tried was this:

Code: Select all

if [type] == 'syslog' {
      clone {
     clones => [ "clonelog" ]
     add_tag => [ "cloned" ]
   }
}

Bam. I had two logs show up when I searched for a certain syslog message I sent for test purposes. I only sent the message once. The type for the first one was syslog, and the type for the second one was clonelog, with a tag of cloned(and grokparsefailure, but I have some fixing of my filters I need to do). Give the clones => [ "something" ] a shot, and let us know.

[_asp_]

thanks, the missing clones statement was the key. Now it works

[rkennedy]

Are we good to mark this thread as resolved?

[_asp_]

yes. can I close it by myself or can only admins do?

[mcapra]

We generally take care of that