Can't use type in logstash conf file

vikrams · April 5, 2017, 9:20am

I am trying to use "type" for conditional filtering from two different inputs ,
Below is a simplified configuration
I dont get any data in my index using this file.
But if i simply remove "type" and conditions using "type"
everything works fine.

input {
    beats {
        port => "5043"
        #type => ABC
        type => "ABC"
    }
}

filter {
  if [type] == "ABC" {
        grok {
                match => {"message" => "%{TIMESTAMP_ISO8601} - \[%{NOTSPACE}\] %{LOGLEVEL}  - %{JAVACLASS} \| %{WORD} %{URIPROTO}://%{URIHOST}/%{WORD:serviceName}-%{WORD}/%{WORD:entity}/%{BASE10NUM:id}, status = %{BASE10NUM:status}, time = %{BASE10NUM:duration} %{WORD:timeunits}."}
        }
        }
}
output {
    if [type] == "ABC" {
    elasticsearch {
        hosts => [ "elastiSearchIp:9200" ]
        index => "testlogs_1march"
    }
    }
}

Can some one please advice

Thankyou
Vikram

guyboertje · April 5, 2017, 11:42am

This is standard practice.
https://www.elastic.co/guide/en/logstash/current/plugins-inputs-beats.html#plugins-inputs-beats-type
https://www.elastic.co/guide/en/logstash/current/event-dependent-configuration.html#conditionals
type when set is a field like any other. People use this patterns all the time.

try this, you should see the JSON'ed events in the console.

output {
  if [type] == "ABC" {
    stdout { codec => 'json'}
  } else {
    elasticsearch {
        hosts => [ "elastiSearchIp:9200" ]
        index => "testlogs_1march"
    }
  }
}

vikrams · April 5, 2017, 6:27pm

Thanks @guyboertje

I found the problem .
filebeat was already sending a type field in the message.
And once set logstash cant override type feild.

Cheers
Vikram

system · May 3, 2017, 6:27pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.