fluent-plugin-grok-parser icon indicating copy to clipboard operation
fluent-plugin-grok-parser copied to clipboard
verified publisher icon fluent

Seems like field's type is not counted by this plugin.

Open fog1985 opened this issue 6 years ago • 1 comments

Even though I am providing grokked field with type as follow: %{NUMBER:response:integer} It appears in EFK as type string. Though no errors in fluentd's logs etc. It seems like it's being ignored at all. Any bits of advice on how can it be overcome?

root@fluentd-fluentd-elasticsearch-jpcqh:/# fluentd --version
fluentd 1.3.3

fog1985 avatar Apr 25 '19 13:04 fog1985

Sorry for the delay. Do you have the raw logs?

I tested the following configuration, but I could not reproduce your situation.

<source>
  @type dummy
  tag dummy
  dummy [
    {"message": "500 This is test"},
    {"message": "404 This is test"},
    {"message": "302 This is test"},
    {"message": "200 This is test"}
  ]
</source>

<filter dummy>
  @type parser
  key_name message
  <parse>
    @type grok
    <grok>
      pattern %{NUMBER:response:integer} %{GREEDYDATA:msg}
    </grok>
  </parse>
</filter>

<match dummy>
  @type stdout
</match>

okkez avatar Jun 18 '19 06:06 okkez