Common Option 'id' in input plugin

Elastic Stack Logstash
1

Dear all,

Thank you very much for your time to read my question.

I have created a config file with the the input section shown below.

input {
file {
path => [
"/var/log/messages"
]
id => "syslog"
tags => "syslog"
}
}

I understand the deprecation of 'type' and thus I have used 'tags' extensively. However, I'm also aware that seeking a value from a list can be less efficient and would like to use 'id' here for a condition critera. For example, under 'filter' section, I'd like to have:-

filter {
if [id] == "syslog" { do one thing} # however this doesn't work
if "syslog" in [tags] { do one thing} # this works
else {do another}
}

Grateful if you could instruct how I can use 'id' in this case? I'm unable to find any information from the document.

Many thanks in advance,

James Ren

2

The id option is not added to the events that an input generates. It is used to label the statistics about the input that you can access using the monitoring API.

If you want to add additional fields to the events use the add_field common option.

3

Thank you, that makes sense.

Would there be any performance penalty for 'adding a field' and then 'remove the field' before output?

4

Well the operation is not free, but adding a field to a hash (which is what it is doing) is a pretty cheap operation.

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.