Conditional Filebeat output based on document type

tsullivan93 · January 26, 2018, 4:43pm

Currently I have filebeat on a server with multiple different application logs, so I have multiple prospectors grabbing and tagging the different application logs. The logs have different formats so one of them needs to be sent to logstash for filtering will the others are json so they can go directly to Elasticsearch.

My question is, is there a way to ensure the one log that needs filtering is only sent to logstash, not elasticsearch, and the logs that do not need filtering are sent only to Elasticsearch and not logstash. Currently I have something like this for my elasticsearch output

index: "audience_backend-%{+yyyy.MM.dd}"
when.contains:
type: "audience_backend"

index: "audience_exceptions-%{+yyyy.MM.dd}"
when.contains:
type: "audience_exceptions"

The issue being is the third log that has a different type is still sent to Elasticsearch under the default filebeat index even though it does not match either of the above.

kvch · January 29, 2018, 11:25am

You need to filter out the third log which has a different type.
You could use a processor to drop those unwanted events. (Assuming it is what you want to do with messages not matching anything.)
More on processors: https://www.elastic.co/guide/en/beats/filebeat/master/filtering-and-enhancing-data.html

Let me know if you need further help.

system · February 26, 2018, 11:25am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to filter data from Filebeats in Logstash Logstash	6	7085	July 6, 2017
Filter the data sent by filebeat Logstash	5	848	July 24, 2017
Multiple index in elasticsearch from filebeat Beats filebeat	4	3207	August 4, 2017
Manage multiple beats on a single Logstash instance Logstash	5	3908	July 6, 2017
Logstash output configuration for beat Logstash	3	615	July 6, 2017

Conditional Filebeat output based on document type

Related topics