tag_on_failure => [] # prevent default _grokparsefailure tag on real records

[elk@zjtest7-frontend config]$ cat stdin04.conf 
input {
    stdin {
    }
}
filter {
  # drop sleep events
  grok {
    match => { "message" => "SELECT aaa" }
    add_tag => [ "sleep_aaa" ]
    #tag_on_failure => [] # prevent default _grokparsefailure tag on real records
  }


  grok {
    match => { "message" => "SELECT bbb" }
    add_tag => [ "sleep_bbb" ]
  }
  }
output {
if "sleep_aaa" in [tags]{
 stdout {
  codec=>rubydebug{}
   }
}
 else if "sleep_bbb" in [tags]{
 stdout {
  codec=>json
   }
}

}

[elk@zjtest7-frontend config]$ ../bin/logstash -f stdin04.conf 
Settings: Default pipeline workers: 1
Pipeline main started
SELECT bbb
{"message":"SELECT bbb","@version":"1","@timestamp":"2016-09-15T10:33:12.170Z","host":"0.0.0.0","tags":["_grokparsefailure","sleep_bbb"]}

此时出现了默认的"tags":["_grokparsefailure","sleep_bbb"]


/************************************************************
[elk@zjtest7-frontend config]$ cat stdin04.conf 
input {
    stdin {
    }
}
filter {
  # drop sleep events
  grok {
    match => { "message" => "SELECT aaa" }
    add_tag => [ "sleep_aaa" ]
    tag_on_failure => [] # prevent default _grokparsefailure tag on real records
  }


  grok {
    match => { "message" => "SELECT bbb" }
    add_tag => [ "sleep_bbb" ]
  }
  }
output {
if "sleep_aaa" in [tags]{
 stdout {
  codec=>rubydebug{}
   }
}
 else if "sleep_bbb" in [tags]{
 stdout {
  codec=>json
   }
}

}
a
[elk@zjtest7-frontend config]$ ../bin/logstash -f stdin04.conf 
Settings: Default pipeline workers: 1
Pipeline main started
SELECT bbb
{"message":"SELECT bbb","@version":"1","@timestamp":"2016-09-15T10:34:39.194Z","host":"0.0.0.0","tags":["sleep_bbb"]}