Conditional mutate not working

pkaramol · September 26, 2017, 10:10am

I am logging to more than one ports using syslog plugin.

However the following conditional filter does not work (although logs are received in more than one port as expected.

Any suggestions?

input {
  tcp {
    port => 5151
    type => syslog
  }
  tcp {
    port => 5152
    type => syslog
  }
}


filter {
    if [port] == 5151 {
        mutate {
            add_field => {'received_from' => 'service1'}
        }
    }
    if [port] == 5152 {
        mutate {
            add_field => {'received_from' => 'service2'}
        }
    }
}


output {
  elasticsearch { hosts => ["localhost:9200"] }
  stdout { codec => rubydebug }
}

magnusbaeck · September 26, 2017, 10:30am

The tcp input doesn't create a port field on incoming events, but you can configure it to add such a field by putting an add_field declaration in each tcp input.

pkaramol · September 26, 2017, 10:35am

Many thanks, now it works (no need for filter I guess):

input {
  tcp {
    port => 5151
    type => syslog
    add_field => {'received_from' => 'service1'}
  }
  tcp {
    port => 5152
    type => syslog
    add_field => {'received_from' => 'service2'}
  }
}

output {
  elasticsearch { hosts => ["localhost:9200"] }
  stdout { codec => rubydebug }
}

Topic		Replies	Views
Filter conditionals not working as expected Logstash	3	336	December 27, 2020
Filter if condition in Logstash Logstash	8	19689	July 24, 2019
Can't make conditionnal filtering to work Logstash	7	1419	December 5, 2016
Adding fields to configuration file Logstash	8	5596	February 12, 2020
IF conditional not dropping field Logstash	2	549	February 19, 2018

Conditional mutate not working

Related topics