sof-elk icon indicating copy to clipboard operation
sof-elk copied to clipboard

Published 20 hours ago verified publisher icon philhagen

Keep original message in all cases

Open philhagen opened this issue 8 years ago • 1 comments

before parsing anything, keep original message - probably in a non-analyzed string

philhagen avatar Jul 06 '16 23:07 philhagen

This should also enable a "reprocess" option, where old messages are re-parsed with new configuration files. Possibly a process such as the following running as a cron or manually-trigger script:

  • Tag all events with "_reparse"
  • For all events tagged "_reparse":
    • Use elasticsearch input to re-parse messages against original field content
    • Potentially keep any existing GeoIP and ASN fields
    • Update records in elasticsearch output, updating record 'version' (Optionally delete original via a command-line switch or configuration option)
    • Remove "_reparse" tag if needed? If a new record is created, it would not have the tag, so this may not be needed

philhagen avatar Jul 29 '16 14:07 philhagen

this is sufficiently met with the event.original field. reprising existing records is not anticipated at this time, but can be revisited in the future.

philhagen avatar Jan 31 '24 20:01 philhagen