I am using elastic agent to capture the custom log from a pihole server, but I would like to split out the dns logs and the dhcp logs that are both found in pihole.log into different indexes.
Things are working well, pretty easy straight forward process here, but when I want to use my ingest pipeline to conditionally take some of these documents and put them into a separate index, nothing is written to the other index.
My simple ingest pipeline
[
{
"grok": {
"field": "message",
"patterns": [
"%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGPROG}"
]
}
},
{
"date": {
"field": "timestamp",
"formats": [
"MMM dd HH:mm:ss",
"MMM d HH:mm:ss"
],
"timezone": "CST6CDT"
}
},
{
"set": {
"field": "_index",
"value": "dhcp",
"if": "ctx?.program == 'dnsmasq-dhcp'"
}
}
]
When I test my pipeline with a document with program == dnsmasq-dhcp, the test shows the output correctly.
Input:
[
{
"_index": ".ds-logs-pihole-default-2021.11.04-000001",
"_type": "_doc",
"_id": "ziJAQ30BlfGFPPvm8jRA",
"_version": 1,
"_score": 1,
"_source": {
"agent": {
"hostname": "pihole",
"name": "pihole",
"id": "082ac260-4c92-437c-a1be-7ac20cad3c90",
"ephemeral_id": "5bfbf7ce-503b-4e56-8a43-72a1b17c46d8",
"type": "filebeat",
"version": "7.15.1"
},
"log": {
"file": {
"path": "/var/log/pihole.log"
},
"offset": 13012150
},
"elastic_agent": {
"id": "082ac260-4c92-437c-a1be-7ac20cad3c90",
"version": "7.15.1",
"snapshot": false
},
"pid": "1028",
"program": "dnsmasq-dhcp",
"message": "Nov 21 10:07:48 dnsmasq-dhcp[1028]: DHCPREQUEST(enp1s0) 192.168.3.5 10:08:b1:6d:40:4e ",
"input": {
"type": "log"
},
"@timestamp": "2021-11-21T10:07:48.000-06:00",
"ecs": {
"version": "1.11.0"
},
"data_stream": {
"namespace": "default",
"type": "logs",
"dataset": "pihole"
},
"host": {
"hostname": "pihole",
"os": {
"kernel": "5.11.0-40-generic",
"codename": "focal",
"name": "Ubuntu",
"type": "linux",
"family": "debian",
"version": "20.04.3 LTS (Focal Fossa)",
"platform": "ubuntu"
},
"containerized": false,
"ip": [
"192.168.2.2",
"fe80::84b1:1fc2:bc0c:8ce1",
"10.8.0.1",
"fe80::c65b:fb20:25cf:e899"
],
"name": "pihole",
"id": "f6876d5930b84506882073106cc0096e",
"mac": [
"52:54:00:87:dc:2d"
],
"architecture": "x86_64"
},
"event": {
"dataset": "pihole"
},
"dhcp": [
"boners"
],
"timestamp": "Nov 21 10:07:48"
},
"fields": {
"elastic_agent.version": [
"7.15.1"
],
"pid": [
"1028"
],
"host.hostname": [
"pihole"
],
"program": [
"dnsmasq-dhcp"
],
"host.mac": [
"52:54:00:87:dc:2d"
],
"host.ip": [
"192.168.2.2",
"fe80::84b1:1fc2:bc0c:8ce1",
"10.8.0.1",
"fe80::c65b:fb20:25cf:e899"
],
"agent.type": [
"filebeat"
],
"host.os.version": [
"20.04.3 LTS (Focal Fossa)"
],
"host.os.kernel": [
"5.11.0-40-generic"
],
"host.os.name": [
"Ubuntu"
],
"agent.name": [
"pihole"
],
"host.name": [
"pihole"
],
"elastic_agent.snapshot": [
false
],
"host.id": [
"f6876d5930b84506882073106cc0096e"
],
"dhcp": [
"boners"
],
"timestamp": [
"Nov 21 10:07:48"
],
"host.os.type": [
"linux"
],
"elastic_agent.id": [
"082ac260-4c92-437c-a1be-7ac20cad3c90"
],
"data_stream.namespace": [
"default"
],
"host.os.codename": [
"focal"
],
"input.type": [
"log"
],
"log.offset": [
13012150
],
"agent.hostname": [
"pihole"
],
"message": [
"Nov 21 10:07:48 dnsmasq-dhcp[1028]: DHCPREQUEST(enp1s0) 192.168.3.5 10:08:b1:6d:40:4e "
],
"data_stream.type": [
"logs"
],
"host.architecture": [
"x86_64"
],
"@timestamp": [
"2021-11-21T16:07:48.000Z"
],
"agent.id": [
"082ac260-4c92-437c-a1be-7ac20cad3c90"
],
"ecs.version": [
"1.11.0"
],
"host.containerized": [
false
],
"host.os.platform": [
"ubuntu"
],
"data_stream.dataset": [
"pihole"
],
"log.file.path": [
"/var/log/pihole.log"
],
"agent.ephemeral_id": [
"5bfbf7ce-503b-4e56-8a43-72a1b17c46d8"
],
"agent.version": [
"7.15.1"
],
"host.os.family": [
"debian"
],
"event.dataset": [
"pihole"
]
}
}
]
output of test document
{
"docs": [
{
"doc": {
"_index": "dhcp",
"_type": "_doc",
"_id": "ziJAQ30BlfGFPPvm8jRA",
"_version": "1",
"_source": {
"agent": {
"name": "pihole",
"hostname": "pihole",
"id": "082ac260-4c92-437c-a1be-7ac20cad3c90",
"ephemeral_id": "5bfbf7ce-503b-4e56-8a43-72a1b17c46d8",
"type": "filebeat",
"version": "7.15.1"
},
"log": {
"offset": 13012150,
"file": {
"path": "/var/log/pihole.log"
}
},
"elastic_agent": {
"version": "7.15.1",
"snapshot": false,
"id": "082ac260-4c92-437c-a1be-7ac20cad3c90"
},
"pid": "1028",
"program": "dnsmasq-dhcp",
"message": "Nov 21 10:07:48 dnsmasq-dhcp[1028]: DHCPREQUEST(enp1s0) 192.168.3.5 10:08:b1:6d:40:4e ",
"input": {
"type": "log"
},
"@timestamp": "2021-11-21T10:07:48.000-06:00",
"ecs": {
"version": "1.11.0"
},
"data_stream": {
"namespace": "default",
"type": "logs",
"dataset": "pihole"
},
"host": {
"hostname": "pihole",
"os": {
"kernel": "5.11.0-40-generic",
"codename": "focal",
"name": "Ubuntu",
"type": "linux",
"family": "debian",
"version": "20.04.3 LTS (Focal Fossa)",
"platform": "ubuntu"
},
"containerized": false,
"ip": [
"192.168.2.2",
"fe80::84b1:1fc2:bc0c:8ce1",
"10.8.0.1",
"fe80::c65b:fb20:25cf:e899"
],
"name": "pihole",
"id": "f6876d5930b84506882073106cc0096e",
"mac": [
"52:54:00:87:dc:2d"
],
"architecture": "x86_64"
},
"event": {
"dataset": "pihole"
},
"dhcp": [
"boners"
],
"timestamp": "Nov 21 10:07:48"
},
"_ingest": {
"timestamp": "2021-11-24T01:45:23.516787543Z"
}
}
}
]
}
So it appears that my ingest pipeline is correctly changing the value of _index to my new index "dhcp"
However no documents are ever added to that index.
Thoughts on how to troubleshoot where this is failing?