Hi All,
TLDR; - I suspect http { } is modifying the received host field value, without being explicitly configured to. I need to stop this happening.
I'm using the following configuration file.
input {
http {
codec => json
}
}
filter {
if [type] == "load" {
mutate {
add_field => { "1m" => "%{values[0]}" }
add_field => { "5m" => "%{values[1]}" }
add_field => { "15m" => "%{values[2]}" }
}
}
if [type] == "if_octets" {
mutate {
add_field => { "rx" => "%{values[0]}" }
add_field => { "tx" => "%{values[1]}" }
}
ruby {
code => "event['rx'] = event['rx'] * 8"
}
ruby {
code => "event['tx'] = event['tx'] * 8"
}
}
date {
match => [ "time", "UNIX" ]
}
}
output {
elasticsearch {}
stdout { codec => rubydebug }
}
Before I continue on explaining the issue, I will state the first thing I've checked before pointing a finger at Logstash is that I've used tcpdump to examine the raw JSON coming from collectd to logstash and can see the "host" field has been passed and contains a correct value.
However, once logstash has finished with the event, the host field has been changed to what appears to be the source IP of the http traffic (since I don't have resolutions setup yet).
I really want to be able to disable that behavior some how, because I need the host field to remain correctly set from the collectd sender.
I have already tried to see if a mutate filter to add a new field and copy the original %{host} would work but it too ends up being the source IP... Leading me to suspect some behavior of the http input module.
Although I can't see any explanation or toggle in the documentation - Are there any options I can toggle to disable this behavior?
Many thanks,
jdmac