I have a date that is present only once in each log file, and I am trying to add this date to all the following events after it has been matched once, which to some extent acts as a global variable. (The date is at the top of the document, and I cannot use multiline or make changes to the name or contents of the file)
For this, my approach is to use a grep filter with drop => false .
grok { patterns_dir => "[...]" match => [ "message", "%{DATELINE}" ] tag_on_failure => [ ] } grep { add_field => { "grepdate" => "%{mydate}" } drop => false } date { locale => "en" timezone => "Europe/Paris" match => [ "grepdate", "yyyyMMdd" ] target => "grepdate" }
Regular expression:
DATELINE (= Date: (?<mydate>[0-9]{8}))
I noticed that the grepdate field grepdate correctly added to all events - this is what I want - but the value of this field is not the date itself (value %{mydate} ), but the actual string is "%{mydate}" , unless the actual match is executed for the first time (when analyzing the actual date in my log file, the grepdate field contains the correct value)
What can I do to fix this?
Any help is greatly appreciated.
Edit:
Now I'm trying to find a solution involving using the memorize plugin. However, I get the following error:
You cannot use more than one working filter, because the following plugins do not work with several workers: remember
Is there a way to make this filter thread safe?
source share