Skip to content

Additional Commands

Jump to bottom
8naama edited this page Jun 7, 2022 · 15 revisions

Additional Commands

onSuccess [boolean]

The onSuccess command works if the processor parsed successfully. It allows performing further processing.

onSuccess should be an array under the config of the processor or statement.

{
  "steps": [{
  <processor or statement>,
    "onSuccess": [
      {
        <processor or statement>
      }
    ]
  }]
}

Example:

{
  "steps": [
    {
      "grok": {
        "config": {
          "field": "message",
          "patterns": [
            "^%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:logLevel} %{GREEDYDATA:logMessage}$"
          ]
        },
        "onSuccess": [
          {
            "addTag": {
              "config": {
                "tags": [
                  "grok_parsing_works"
                ]
              }
            }
          }
        ]
      }
    }
  ]
}

onFailure [boolean]

The onFailure command works if the processor failed to parse. It allows performing further processing.

onFailure should be an array under the config of the processor or statement.

{
  "steps": [{
  <processor or statement>,
    "onFailure": [
      {
        <processor or statement>
      }
    ]
  }]
}

Example

{
  "steps": [
    {
      "grok": {
        "config": {
          "field": "message",
          "patterns": [
            "^%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:logLevel} %{GREEDYDATA:logMessage}$"
          ]
        },
        "onFailure": [
          {
            "addTag": {
              "config": {
                "tags": [
                  "failed_to_parse_grok"
                ]
              }
            }
          }
        ]
      }
    }
  ]
}

dateTemplate

Sometimes the timestamp field is missing info (such as year), so the date processor can't parse it correctly. In order to add that missing info, you can use dateTemplate to add relevant info from the date value at the moment, to the log.

Example

{
  "steps": [
    {
      "addField": {
        "config": {
          "path": "timestamp",
          "value": "{{#dateTemplate}}yyyy{{/dateTemplate}} {{timestamp}}"
        }
      }
    }
  ]
}

stopOnFailure [boolean]

  • false - (default) The pipeline will continue through the steps even if there is a processor failure.
  • true - The pipeline will stop processing at the first processor that has a failure.

Example

{  
  "steps":[  
    {<processor or statement>},
    {<processor or statement>},
    {<processor or statement>}
  ],
  "stopOnFailure":true
}
Clone this wiki locally