RFE: Add config option to skip the event.cancel at the end of the filter flowΒ #38
Description
I'm using the split filter along with the logstash-input-snmp to gather SNMP data and ingest into Elastic.
In order to ingest data on a per-core, per-interface, per-filesystem basis, I'm using separate input blocks with tagging and then using the split filter based on the tags.
What I'd like to be able to do is use a single snmp input to walk a device and then use the split filter on the original event multiple times to split out the various tables of data.
e.g. Based on a rough format of:
"device_name": "mydevice.my.domain",
"device_version": "1.2.3.4",
"device_uptime": 123456,
"cpu": {
1 => "data",
2 => "data",
3 => "data"
},
"mem": {
1 => "data",
2 => "data",
3 => "data"
},
"int": {
1 => "data",
2 => "data",
3 => "data"
}
I could use a pipeline with:
if "cpu_split" in [tags] {
#do cpu related parsing and cleanup (drop non cpu fields)
} else if "mem_split" in [tags] {
#do mem related parsing and cleanup (drop non mem fields)
} else if "int_split" in [tags] {
#do int related parsing and cleanup (drop non int fields)
} else {
split {
field => "cpu"
keep_original => true
add_tag => [ "cpu_split" ]
}
split {
field => "mem"
keep_original => true
add_tag => [ "mem_split" ]
}
split {
field => "int"
keep_original => true
add_tag => [ "int_split" ]
}
# Drop cpu/mem/int fields and parse the rest of results (or just drop{} if nothing left)
}