I've got a set of logs I'm using grok-parser on with a syslog source. When the message comes in I have all the fields I expect from syslog: hostname, timestamp, message, etc
Before the grok filter I get:
2016-11-22 18:16:02 +0000 stage.host000.daemon.info: {"host":"host000","ident":"docker/dockerapp","pid":"1234","message":"X.X.X.X - - [22/Nov/2016:18:16:02 +
0000] \"POST /path/to/url HTTP/1.1\" 200 33 \"http://targethost/path/to/url/\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit
/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36\"","source_host":"X.X.X.X"}
But after the grok filter only the contents of message are moved into fields. I no longer have hostname, timestamp, etc. I want to keep these fields. What is the best approach?