How to debug elasticsearch logstash ingestion pipelines

genehunter29009 · June 18, 2020, 10:47am

Trying to use the pipelines in a beats config on logstash. The issue is its not seeing the pipeline so the data is going straight into the index unprocessed. I am sure something is wrong with the code that builds the pipeline name pipeline => "%{[@metadata][pipeline]}" but I dont see any documentation on that. My pipelines are named

filebeat-7.7.0-iis-access-pipeline
filebeat-7.7.1-iis-error-pipeline

Anyone have any suggestions on how I can find out what %{[@metadata][pipeline]} is pointing too or know why it is not working?

input {
beats {
port => 5100
}
}

output {
if [@metadata][pipeline] {
elasticsearch {
hosts => ["https://ipaddresshere:9200"]
manage_template => false
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.ww}"
pipeline => "%{[@metadata][pipeline]}"
user => "elastic"
password => "changeme"
cacert => "/etc/logstash/certs/cacerts.pem"
}
}
else {
elasticsearch {
hosts => ["https://ipaddresshere:9200"]
manage_template => false
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.ww}"
user => "elastic"
password => "changeme"
cacert => "/etc/logstash/certs/cacerts.pem"
}
}
}

genehunter29009 · June 22, 2020, 10:28am

I figured out there was no pipeline parameter being passed. I assume you have to create your own. I did get this code to work with 7.7

input {
beats {
port => 5100
}
}
output {
if [agent][type] == "filebeat" {
if [fileset][name] == "access" {
elasticsearch {
hosts => ["https://ipaddresshere:9200"]
manage_template => false
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.ww}"
pipeline => "%{[@metadata][beat]}-%{[@metadata][version]}-iis-access-pipeline"
user => "elastic"
password => "changeme"
cacert => "/etc/logstash/certs/cacerts.pem"
}
}
}
if [agent][type] == "filebeat" {
if [fileset][name] == "error" {
elasticsearch {
hosts => ["https://ipaddresshere:9200"]
manage_template => false
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.ww}"
pipeline => "%{[@metadata][beat]}-%{[@metadata][version]}-iis-error-pipeline"
user => "elastic"
password => "changeme"
cacert => "/etc/logstash/certs/cacerts.pem"
}
}
}
if [agent][type] != "filebeat" {
elasticsearch {
hosts => ["https://10.29.144.38:9200"]
manage_template => false
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.ww}"
user => "elastic"
password => "changeme"
cacert => "/etc/logstash/certs/cacerts.pem"
}
}
}

system · July 20, 2020, 10:36am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.