Get the input csv file path or filename in email


(Suraj) #1

Hi,

How can we get the input csv file path or filename in email.

Below is my config for the input and output:
input {
file {
path => "path to file/*.csv"
type => "csv"
start_position => beginning
}
file {
path => "path to log/logstash-plain.log"
type => "syslog"
sincedb_path => "null"

filter{}

output
{
if [type] == "csv"
{
elasticsearch {
hosts => "localhost:9200"
index => "cmss"
document_type => "cms"
document_id => "%{id}"
}
}
if [type] == "syslog"
{
if "[ERROR ]" in [message]
{
email {
address => ".........................."
subject => "logstash alert"
to => "......................."
body => "%{message}"
}
}
}

Any idea or support would be really helpful.

Thank you.


(Magnus Bäck) #2

So what happens? Is there anything in the logs?

if "[ERROR ]" in [message]

There's an extra space after "ERROR".


(Suraj) #3

Hi Magnus,

That's how that ERROR with extra space gets log into the logstash log file. And it emails if log file gets any ERROR tag message.


(Magnus Bäck) #4

You should be able to find the input filename in the path field so you can just reference that field in the email output's body option just like you're currently doing with the message field.


(Suraj) #5

Yes, I tried with the same way, which you can see below, But it sends multiple emails with the path according to the number of document or rows of loading file.

output
{
if [type] == "csv"
{
elasticsearch {
hosts => "localhost:9200"
index => "cmss"
document_type => "cms"
document_id => "%{id}"
}
email {
address => ".........................."
subject => "logstash alert"
to => "......................."
body => "%{path}"
}
}
if [type] == "syslog"
{
if "[ERROR ]" in [message]
{
email {
address => ".........................."
subject => "logstash alert"
to => "......................."
body => "%{message}"
}
}
}


(Magnus Bäck) #6

But it sends multiple emails with the path according to the number of document or rows of loading file.

Yes, that's expected.

Using Logstash for this kind of alerts is a fundamentally bad idea. Look into ElastAlert, Elastic's own Watcher, or perhaps Grafana instead.


(system) #7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.