Hi,
Were using logstash 5.1.1 adn cannot get the if statement to work in the the filter:
filter {
if [type] == "log" {
grok {
patterns_dir => ["/opt/grok/patterns"]
match => {
"message" => [
Grok works if I remove 2nd line: if [type] == "log" {
Thanks
aidan
This should work. When you say "doesn't work", do you mean that the grok filter is silently ignored? Please give an example of such an event. The result of a stdout { codec => rubydebug } is preferred.
Yes the filter is ignored, seems the field type: is not being used or has being replaced / renamed ?
stdout:
{
"@timestamp" => 2016-12-19T12:30:43.698Z,
"@version" => "1",
"message" => "{"@timestamp":"2016-12-19T12:30:38.581Z","beat":{"hostname":"ip-10-0-1-106.eu-west-1.compute.internal","name":"ip-10-0-1-106.eu-west-1.compute.internal","version":"5.0.1"},"fields":{"datacenter":"ireland","env":"beta2","product":"shg-filebeats"},"input_type":"log","message":"2016-12-19 12:30:29,570 agent.py:643 DEBUG: Completed harvest of all application data in 0.52 seconds.","offset":2702965,"source":"/var/log/shgw/app.log","type":"log"}",
"tags" => []
}
It looks like there's a codec => json missing for your input, but without full details I can't tell for sure.
Yes json codec was missing from input... thought it was enabled by default..
Thank you 
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.