Conditional mutate not working

pkaramol · September 26, 2017, 10:10am

I am logging to more than one ports using syslog plugin.

However the following conditional filter does not work (although logs are received in more than one port as expected.

Any suggestions?

input {
  tcp {
    port => 5151
    type => syslog
  }
  tcp {
    port => 5152
    type => syslog
  }
}


filter {
    if [port] == 5151 {
        mutate {
            add_field => {'received_from' => 'service1'}
        }
    }
    if [port] == 5152 {
        mutate {
            add_field => {'received_from' => 'service2'}
        }
    }
}


output {
  elasticsearch { hosts => ["localhost:9200"] }
  stdout { codec => rubydebug }
}

magnusbaeck · September 26, 2017, 10:30am

The tcp input doesn't create a port field on incoming events, but you can configure it to add such a field by putting an add_field declaration in each tcp input.

pkaramol · September 26, 2017, 10:35am

Many thanks, now it works (no need for filter I guess):

input {
  tcp {
    port => 5151
    type => syslog
    add_field => {'received_from' => 'service1'}
  }
  tcp {
    port => 5152
    type => syslog
    add_field => {'received_from' => 'service2'}
  }
}

output {
  elasticsearch { hosts => ["localhost:9200"] }
  stdout { codec => rubydebug }
}

system · October 24, 2017, 10:35am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filter conditionals not working as expected Logstash	3	301	December 27, 2020
IF conditional not dropping field Logstash	2	520	February 19, 2018
Any alternatives to if and mutate? Logstash	3	693	July 6, 2017
Filter if condition in Logstash Logstash	8	19413	July 24, 2019
Mutate under conditional statement is not working. any suggestion please Logstash	2	412	October 2, 2017

Conditional mutate not working

Related topics