we have log line something like below:
----------------
{\"log_version\": 1, \"log_type\": \"EVENT\", \"timestamp\": 1616415932304, \"sub_module\": \"users\", \"module\": \"administrative-metadata-management\", \"event_description\": \"goyal, siddharth edited\", \"tenant_id\": \"tenant3\", \"identifier\": {\"@kibana-highlighted-field@actor@/kibana-highlighted-field@\": {\"type\": \"user\", \"value\": \"19462770-74ad-4d83-b144-cd6a25069f03\"}, \"target\": {\"type\": \"user\", \"value\": [\"674a2f25-2262-45c9-a78c-77942e58aaf0\"]}}, \"status\": 0, \"request_id\": \"amm-24fd64c1-7da0-4122-ad2c-afe09fba37bb\", \"meta\": {\"request_path\": \"/users/674a2f25-2262-45c9-a78c-77942e58aaf0/\", \"user_id\": \"19462770-74ad-4d83-b144-cd6a25069f03\", \"status\": \"Edited user\", \"method\": \"PUT\"}, \"event_id\": \"default\"}
-------------------
these are json logs and we have specific field which is log_type and its expected values are EVENT, AUDIT.
now we want to push logs which has log_type: EVENT to event index on Elasticsearch and log_type: AUDIT to audit index on elasticsearch.
for this i tried below config:
------------------------
# <filter event.**>
# @type rewrite_tag_filter
# <rule>
# key $.log.log_type
# pattern ^(.+)$
# tag $1
# </rule>
# </filter>
------------------
so that we can route on the basis of tags. but we were unable to do it and getting below error:
------------------
2021-03-22 13:50:02 +0000 [warn]: #0 dump an error event: error_class=Fluent::Plugin::Parser::ParserError error="pattern not matched with data '2021-03-22 13:49:59 +0000 [warn]: #0 unknown placeholder `${record[\"log\"][\"log_type\"]}` found\n'" location=nil tag="event.var.log.containers.audit-report-fluentd-2c8nd_logging_fluentd-faea24e0af60e0d4f45f936bf99a33a0972a7d2deeeed88aea4b816dc8cd8e78.log" time=2021-03-22 13:49:59.265421841 +0000 record={"log"=>"2021-03-22 13:49:59 +0000 [warn]: #0 unknown placeholder `${record[\"log\"][\"log_type\"]}` found\n"}
-----------------------------
any help or guidance on this?