Using filter parsing, all fields that are not the message_key are lost

[Bobby M.]

I've got a set of logs I'm using grok-parser on with a syslog source.  When the message comes in I have all the fields I expect from syslog:  hostname, timestamp, message, etc

Before the grok filter I get:

2016-11-22 18:16:02 +0000 stage.host000.daemon.info: {"host":"host000","ident":"docker/dockerapp","pid":"1234","message":"X.X.X.X - - [22/Nov/2016:18:16:02 +
0000] \"POST /path/to/url HTTP/1.1\" 200 33 \"http://targethost/path/to/url/\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit
/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36\"","source_host":"X.X.X.X"}

But after the grok filter only the contents of message are moved into fields.  I no longer have hostname, timestamp, etc.  I want to keep these fields.  What is the best approach?

[Mr. Fiber]

If you use grok with parser filter, use reserved_data.

https://github.com/tagomoris/fluent-plugin-parser#parserfilter-1

Masahiro

--
You received this message because you are subscribed to the Google Groups "Fluentd Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fluentd+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Bobby M.]

reserved_data

works perfectly.  Thank you for the information!

To unsubscribe from this group and stop receiving emails from it, send an email to fluentd+u...@googlegroups.com.