Can I grok out the host field if its not a valid IP? Also, what is the host field?

red888 · February 19, 2018, 7:06pm

Not sure how to handle this.

I have this in my index template:
"host": {
"type": "IP"
},

In logstash I have this:
input {
tcp {
type => "weblogs"
port => "9999"
}
}

Now on a production server "host" is always a valid IP address, but if Im running a logstash container locally and sending data to it from the host (my laptop) the "host" field is populated as "gateway" for some reason.

I was thinking about groking out the host field if it is not a valid IP, but then i realized I don't even know how this field gets in there. Is this a field logstash injects? it seems to be. And if its always just the IP or hostname of the server I suppose there is no real value to casting it as an IP anyway.

magnusbaeck · February 20, 2018, 8:19pm

It's the tcp input that populates the host field. IIRC the hostname is used if available, otherwise you get an IP address.

system · March 20, 2018, 8:20pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash host field set as docker bridge network gateway Logstash docker	6	765	September 20, 2019
Trying to replace ‘host’ and port field Logstash	3	2271	January 8, 2020
Trying to add a field with the ip address of the host Logstash	3	4833	July 6, 2017
How does Logstash know the host.hostname field? Logstash	5	851	October 8, 2023
Index by hostname? Logstash	3	897	November 19, 2022

Can I grok out the host field if its not a valid IP? Also, what is the host field?

Related Topics