I've enabled the drupal_dblog input, and I'm getting entries (documents), but they all have the same type as the entries in /admin/reports/dblog. It seems the type field set by the plugin is overridden by the contents of watchdog.type. I've also tried setting type to something else in the drupal_dblog configuration, but there's no difference. The configured/default value does not show up anywhere in the document. Maybe the database value should be changed to watchdog_type by changing the SELECT column list to an explicit list with type AS watchdog_type or something like that?
A workaround filter:
if [site] == "my-site-name" and [type] != "watchdog" {
mutate {
rename => {
"type" => "watchdog_type"
}
add_field => {
"type" => "watchdog"
}
}
}