Nagios Support Forum

Support for Nagios products and services
https://support.nagios.com/forum/

how to use clone filter correctly?

https://support.nagios.com/forum/viewtopic.php?t=39009

Page 1 of 1

how to use clone filter correctly?

Posted: Wed Jun 22, 2016 5:29 am
by _asp_
Hi,

i want to clone a event with logstash's clone filter. But it does not work. I only see the original event.

Here is my filter configuration:

Code: Select all

if [LogFile] == '1.log' 
{
	grok 
	{
		match => [ 'message','(?<logTime>\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}),\d*\s- activeVehicle=\d+\s+MsgCount\/Hour=\d+\.\d+\s*(?<keyValuePart>.*)']
    }
	
	# parse the date to @timestamp
	date {
        match => ['logTime', 'YYYY-MM-dd HH:mm:ss']
        timezone => "Europe/Berlin"
        remove_field => ['logTime']
    }
	
	
	# clone the event
	clone
	{
		add_tag => [ "cloned" ]
	}

}
What is wrong here?
The problem is that the event is not cloned.

As first step I wanted to clone the event completely and add a tag to the clone.
Next steps would be to add / remove fileds to / from the clone. But step 1 is not working.

Thanks, Andreas

Re: how to use clone filter correctly?

Posted: Wed Jun 22, 2016 10:10 am
by hsmith
Let's get the clone filter working before we look in to this too much further.

Here's what I did initially:

Code: Select all

if [type] == 'syslog' {
      clone {
     add_tag => [ "cloned" ]
   }
}
This did not clone anything. Not fully understanding the clone filter, I thought it would work, but I was wrong.

Next thing I tried was this:

Code: Select all

if [type] == 'syslog' {
      clone {
     clones => [ "clonelog" ]
     add_tag => [ "cloned" ]
   }
}
Bam. I had two logs show up when I searched for a certain syslog message I sent for test purposes. I only sent the message once. The type for the first one was syslog, and the type for the second one was clonelog, with a tag of cloned(and grokparsefailure, but I have some fixing of my filters I need to do). Give the clones => [ "something" ] a shot, and let us know.

Re: how to use clone filter correctly?

Posted: Thu Jun 23, 2016 8:18 am
by _asp_
thanks, the missing clones statement was the key. Now it works

Re: how to use clone filter correctly?

Posted: Thu Jun 23, 2016 10:00 am
by rkennedy
Are we good to mark this thread as resolved?

Re: how to use clone filter correctly?

Posted: Wed Jun 29, 2016 5:00 am
by _asp_
yes. can I close it by myself or can only admins do?

Re: how to use clone filter correctly?

Posted: Wed Jun 29, 2016 9:32 am
by mcapra
We generally take care of that :)
All times are UTC-05:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited