Default values for @metadata?

A_B · June 18, 2018, 12:17pm

Hi,

is there a recommended way to set some default @metadata fields in Logstash for all documents? I'm using this logstash output config to "shard" different types of logs to their own indices as ESv6 no longer supports more than one type of documents per index

output {

  elasticsearch {
        hosts => ["10.0.0.3:9200", "10.0.0.18:9200", "10.0.0.26:9200"]
        index => "%{[@metadata][log_prefix]}-%{[@metadata][index]}-%{+YYYY.MM.dd}"
  }
}

For documents that to not have these metadata fields set I get these indices

$ curl -s http://localhost:9200/_cat/indices | grep meta
green open %{[@metadata][log_prefix]}-%{[@metadata][index]}-2018.06.18 -N6-8xHgTK6YxihD0euTJw 5 1 7002784   0   2.6gb   1.3gb
green open %{[@metadata][log_prefix]}-%{[@metadata][index]}-2018.05.23 fouzYG2ZQS2-OmGneendKg 5 1   12354   0   9.3mb   4.6mb

which is not quite what I had planned...

One way would be to use the alter filter plugin at the top of the filter chain.

filter {
  alter {
    add_field => { "%{[@metadata][log_prefix]}" => "my_prefix" }
    add_field => { "%{[@metadata][index]}" => "my_index" }
  }
}

Any better way to do it?

Cheers,
AB

magnusbaeck · June 18, 2018, 1:25pm

Any better way to do it?

No.

A_B · June 18, 2018, 1:42pm

Cool, thanks @magnusbaeck

A_B · June 18, 2018, 1:57pm

And what if I already set metadata on the Logstash input and only want to add if it does not exist

  if "[@metadata][log_prefix]" {
    WHAT GOES HERE IF I JUST WANT TO EXIT THE IF??
  }
  else {
    alter {
      add_field => { "%{[@metadata][log_prefix]}" => "my_prefix" }
    }
  }

or is it possible to do something like

  if no "[@metadata][log_prefix]" {
    alter {
      add_field => { "%{[@metadata][log_prefix]}" => "my_prefix" }
    }
 }

magnusbaeck · June 18, 2018, 6:28pm

if ! "[@metadata][log_prefix]" {

https://www.elastic.co/guide/en/logstash/current/event-dependent-configuration.html#conditionals

A_B · June 19, 2018, 7:10am

That's nice

Thank you @magnusbaeck once again. I was reading that exact documentation yesterday but it did not occur to me that you could do that

A_B · June 22, 2018, 2:23pm

Got this working and just wanted to paste the syntax that does what I wanted it to do

  if ! [@metadata][log_prefix] {
    alter {
      add_field => {
        "[@metadata][log_prefix]" => "fix"
      }
    }
  }

No double quote after if !

Very happy with the outcome. Works exactly as I had hoped.

system · July 20, 2018, 2:24pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.