Custom field (filebeat) in condition in logstash filter

arp220 · December 6, 2020, 7:23am

I have this config in filebeat.yml:

filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /var/log/nginx/access.log
  fields_under_root: true
  fields:
    service_name: "nginx"
##### OutPut #######
output.logstash:
  hosts: ["x.x.x.x:5044"]

and in logstash config:

input {
   beats {
     port => 5044
   }
}
filter {
    if  [fields][service_name] == 'nginx' {
        json { source => "message" }
      }
}
output {
    if  [fields][service_name] == 'nginx' {
        elasticsearch {
        hosts => ["https://x.x.x.x:9200"]
        user => "user"
        password => "password"
        index => "logstash_nginx"
        cacert => "/usr/share/logstash/config/elasticsearch-ca.pem"
        ssl_certificate_verification => false
    }
        stdout{ codec => rubydebug }
  }
}

But nothing happens!? Where is my mistake? filebeat config or logstash config?
thanks.
******** Update *******
when I disable if in logstash config, filebeat sends the field correctly (service_name).
So, why logstash if not work?

thanks.

kelk · December 6, 2020, 8:28am

I think you to debug step by step

Remove all the filter entries and see if you can see the data inside elasticsearch or stdout
Check carefully for the field names, especially if the field name is. fields.service_name (which I don't think it is)
Then finding the correct field name and put the if condition accordingly or try other fields to see

my experience, always shows test with no filters, then build it upwards, so you can fine tune.

arp220 · December 6, 2020, 9:22am

@kelk thanks.
I disable if and look structure log in elstiacsearch and I see service_name is a root structure because I use fields_under_root: true. So I remove [fields] in logstash config. as a result

filebeat.yml is:

filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /var/log/nginx/access.log
  fields_under_root: true
  fields:
    service_name: "nginx"

and logstash config is:

input {
   beats {
     port => 5044
   }

}
filter {

    if  [service_name]  == "nginx" {
        json { source => "message" }
         mutate { remove_field => [ "@version", "message","log", "port", "tags","@timestamp", "input", "ecs", "[agent][ephemeral_id]", "[agent][id]","[agent][name]","[agent][type]", "[agent][version]" ] }
      }
}

output {

    if  [service_name]  == "nginx" {
        elasticsearch {
        hosts => ["https://x.x.x.x:9200"]
        user => "user"
        password => "password"
        index => "logstash_nginx"
        cacert => "/usr/share/logstash/config/elasticsearch-ca.pem"
        ssl_certificate_verification => false
    }
  }

Badger · December 6, 2020, 3:48pm

_source is an elasticsearch construct, it does not exist in logstash.

if  [service_name]  == "nginx" {

would be correct provided that field_under_root is true.

system · January 3, 2021, 3:48pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat fields value unable to use it in logstash configuration file Logstash	9	570	February 7, 2021
How should I modify logstash.conf to get the field I want? Logstash	1	352	December 17, 2018
How to configure conditional input-output from Filebeats Logstash	11	4775	September 4, 2018
Question on Fields created in Filebeat and matched in Logstash Input Logstash	3	469	August 31, 2017
Logstash Conditional Indexes Logstash	5	4334	March 29, 2019

Custom field (filebeat) in condition in logstash filter

Related topics