Hello!
Goal: Have one logstash config for many hosts with only file inputs, except on one or few of them don't read this one type of logs.
Basically I would like to have something like:
input {
if [hostname] != "host1.example.com" {
file {
path => "/var/log/thislog.log"
type => "logtype"
}
}
}
I could of course drop everything with type "logtype" or somsuch, but it would be nice to tell logstash to not read it at all.
Any idea if something like this is possible?
Regards,
This is currently impossible with all 1.x versions of Logstash because fields and field contents are part of an event. Events are not created until the data leaves the input block. As such there is nothing in the field hostname to test with a conditional at the time of ingest.
From event dependent configuration in the Logstash documentation:
Some of the configuration options in Logstash require the existence of fields in order to function. Because inputs generate events, there are no fields to evaluate within the input block—they do not exist yet!
Because of their dependency on events and fields, the following configuration options will only work within filter and output blocks.
Field references, sprintf format and conditionals, described below, will not work in an input block.
The aforementioned configuration options which will not work within input blocks are documented at field references, sprintf format, and conditionals.
Hi Aaaron,
thanks for the reply. At least now I am somewhat closer to figuring out the names of what I'd like to do 
[hostname] in my usecase doesn't necessarily have to be in an event, could also be taken from the OS environment, like $HOSTNAME or equivalent. I take it this is also impossible with logstash 1.x.
After going through logstash github issues it also seems that looking up environment variables will not be implemented "because one should use puppet" or something like that. Anyway, $HOSTNAME for me is not an environment variable and
logstash-forwarder apparently has this feature, https://github.com/elastic/logstash-forwarder/pull/435
There is also an open PR about making $HOSTNAME available - https://github.com/elastic/logstash/pull/1396
Seems all it does is exporting $HOSTNAME in the bin/logstash shell script: https://github.com/coolacid/logstash/blob/d35dee25ed77e7ed258ded0b66df3993ff921827/bin/logstash
I'll have to check out if that is all it takes.
Could not get that to work. How to call it? $HOSTNAME don't work, invalid logstash syntax..
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.