Conditionals with nested fields in logstash not working

darlin · November 5, 2020, 2:29pm

Hi,

somehow when we use the input http plugin afterwards the conditionals with nested fields are not working. I've already tried with a non nested field and then it is working.

With the below configuration the request will be sent to elasticsearch instead of the businessobjects pipeline

HTTP Input Pipeline

    input {
  http {
    port => 8080
  }
}

output {
  if [log][message] =~ ".*BO.*" {
    pipeline {
      send_to => "businessobjects"
    }
  }
  else {
    elasticsearch {
   ....
   }
  }
  stdout { codec => rubydebug }
}

JSON Body of Request

    {
   "log.message":"BO Data is published",
}

I hope anyone can help!
Thank you
Darlin

Badger · November 5, 2020, 3:13pm

That would be [log.message]

[log][message] would be used if the JSON were

{ "log": { "message": "BO Data is published" } }

darlin · November 6, 2020, 11:50am

Thank you! Now it's working!

system · December 4, 2020, 11:50am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.