So I havce written a parser.
It's a custom parser.
filter {
mutate {
replace => {
"raw_Event" => ""
}
}
grok {
match => {
"message" => ["%{GREEDYDATA:raw_Event}"]
}
overwrite => ["raw_Event"]
on_error => "grok_failed"
}
if "raw_Event" != "" {
mutate {
replace => {
"additional_fields.key" => "raw_Event"
"additional_fields.value.string_value" => "%{message}"
}
merge => {
"event1.idm.read_only_udm.additional.fields" => "additional_fields"
}
}
}
mutate {
merge => {
"@output" => "event1"
}
}
statedump{
label => "first"
}
}
The error I am facing states : generic::unknown: enrichment failed for event 0: LOG_PARSING_GENERATED_INVALID_EVENT: "generic::invalid_argument: UDM.metadata not present"
Can someone help me resolve this?
LinkedIn
Twitter
