Conditional mutate not working

pkaramol · September 26, 2017, 10:10am

I am logging to more than one ports using syslog plugin.

However the following conditional filter does not work (although logs are received in more than one port as expected.

Any suggestions?

input {
  tcp {
    port => 5151
    type => syslog
  }
  tcp {
    port => 5152
    type => syslog
  }
}


filter {
    if [port] == 5151 {
        mutate {
            add_field => {'received_from' => 'service1'}
        }
    }
    if [port] == 5152 {
        mutate {
            add_field => {'received_from' => 'service2'}
        }
    }
}


output {
  elasticsearch { hosts => ["localhost:9200"] }
  stdout { codec => rubydebug }
}

magnusbaeck · September 26, 2017, 10:30am

The tcp input doesn't create a port field on incoming events, but you can configure it to add such a field by putting an add_field declaration in each tcp input.

pkaramol · September 26, 2017, 10:35am

Many thanks, now it works (no need for filter I guess):

input {
  tcp {
    port => 5151
    type => syslog
    add_field => {'received_from' => 'service1'}
  }
  tcp {
    port => 5152
    type => syslog
    add_field => {'received_from' => 'service2'}
  }
}

output {
  elasticsearch { hosts => ["localhost:9200"] }
  stdout { codec => rubydebug }
}

system · October 24, 2017, 10:35am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.