The 'tag_on_failure' attribute doesn't interpolate template variables

Question

The 'tag_on_failure' attribute doesn't interpolate template variables

hartfordfive opened this issue 8 years ago · 0 comments

This would be a useful feature if the tag_on_faliure attribute would interpolate dynamic template variables. For example, given a template variable type = syslog:

       grok {
          match => [
            "message", "%{SYSLOGBASE:syslog_data}\s+%{GREEDYDATA:message}"
          ]
          overwrite => [ "message" ]
          tag_on_failure => ["_grokparsefailure_%{type}"]
        }

Should tag the event with _grokparsefailure_syslog but is currently showing up as _grokparsefailure_%{type}