Filebeats custom fields not sending with message

jspeer · September 15, 2017, 4:45pm

I'm running filebeats 5.5.1, the 2 fields that I've added into the prospector aren't sending with the logs. Here is my prospector:

- input_type: log
    paths:
        - /etc/filebeat/log/*.log
    fields: 
        log_type: promolog
        type: pricing
    fields_under_root: true

Here is the message I'm sending to the log

echo "This is a test" >> test.log

Here is what logstash is seeing

2017-09-15T16:39:48.593Z 1843d9713bf0 This is a test

andrewkroh · September 15, 2017, 6:27pm

How do you have Logstash configured? Where is that output coming from? Please share your Logstash config.

jspeer · September 15, 2017, 6:35pm

Here is the combined logstash config, it's separated into separate files for input, filter, and output

input {
  beats {
    port => 5044
    ssl => false
    #ssl_certificate => "/etc/pki/tls/certs/logstash-beats.crt"
    #ssl_key => "/etc/pki/tls/private/logstash-beats.key"
 }
}
filter {
  if [fields][log_type] == "promolog" {
    grok {
        match => { "message" => "%{TIMESTAMP_ISO8601:logtimestamp} %{WORD:msg} %
{SYSLOG5424SD:jclass} - %{WORD:rtype} %{SPACE}:%{SPACE}%{GREEDYDATA:payload}" }
  }
    date {
        match => ["logtimestamp", "YYYY-MM-dd HH:mm:ss,SSS"]
        target => "@timestamp"
        add_field => { "debug" => "timestampMatched"}
  }

   csv {
       source => "payload"
       separator => "|"
       remove_field => ["payload"]
  }

  mutate {
      add_field  => {
       "reqtype"  => "%{column2}"
       "ordernum" => "%{column3}"
       "brand"    => "%{column4}"
       "promo"    => "%{column5}"
     }
   } 
 }
 }
output {

   stdout {}
   elasticsearch {
   hosts => ["localhost"]
   manage_template => false
   index => "pricing-%{YYYY.MM.dd}"
   document_type => "pricing"
   user => "elastic"
   password => "changeme"

}
}

andrewkroh · September 15, 2017, 6:50pm

Try using a different codec with the stdout output. This should cause all fields to be logged.

output {
  stdout { codec => rubydebug { metadata => true } }
}

jspeer · September 15, 2017, 7:04pm

Perfect, thank you! I'm now seeing the fields in the logstash output.

system · October 13, 2017, 7:04pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Custom fields are not stored in the message root Beats filebeat	12	4389	July 5, 2017
Filebeat not sending log fields Beats filebeat	2	383	December 17, 2019
Logstash not able to access the custom field from Filebeat Logstash	2	1992	June 27, 2017
How to use custom fields from filebeat in logstash? Logstash	2	4690	October 14, 2018
Filebeat is not sending logs to logstash Logstash	11	12415	July 6, 2017

Filebeats custom fields not sending with message

Related Topics