Filebeat -> Logstash match metadata

Badger · November 5, 2019, 3:42pm

When I run

input { generator { count => 1 lines => [ '11.12.28.183 - - [04/Nov/2019:17:47:02 +0100] "CONNECT autodi.fr:443 HTTP/1.1" 407 3728 101 "-" "-" TCP_DENIED:HIER_NONE' ] } }
filter {
    mutate { add_field => { "[process][name]" => "(squid-1)" } }
    if [process][name] =~ /\([a-z]+-1\)/ {
        dissect { mapping => { "message" => '%{a} %{b} %{c} [%{mydate}] "%{d} %{e} %{f}" %{g} %{h} %{i} "%{j}" "%{k}" %{l}:%{m}' } }
        date { match => ["mydate", "dd/MMM/YYYY:HH:mm:ss Z"] target => "date" }
        mutate { remove_field => [ "mydate" ] }
    }
}
output { stdout { codec => rubydebug { metadata => false } } }

I get

   "message" => "11.12.28.183 - - [04/Nov/2019:17:47:02 +0100] \"CONNECT autodi.fr:443 HTTP/1.1\" 407 3728 101 \"-\" \"-\" TCP_DENIED:HIER_NONE",
         "e" => "autodi.fr:443",
         "i" => "101",
      "date" => 2019-11-04T16:47:02.000Z,
         "f" => "HTTP/1.1",
         "k" => "-",
   "process" => {
    "name" => "(squid-1)"
},

etc. Are you sure [process][name] exists at the point where you are testing it?

Topic		Replies	Views
Logstash - Match metadata from filebeat Logstash	2	399	June 17, 2019
Filebeat System module not sending process name when using Logstash as a output Beats filebeat	6	847	March 2, 2021
Can't get app_process_metadata to work in Filebeat Beats filebeat	3	324	December 24, 2018
Possible to add to @metadata? Beats filebeat	5	3580	July 5, 2017
Logstash input-beat not receiving @metadata field Beats filebeat	4	4184	July 5, 2017

Filebeat -> Logstash match metadata

Related topics