How to use filebeat fields name value in logstash config

Jayanna_Hallur · March 23, 2017, 6:02pm

Hi All

Below are my config files for 2 filebeats & logstash.. I set the fields index=my_data_1 in filebeat config. & send to logstash.. in the logstash i want use the value passed in fields.index from filebeat to use it for indexing when sent to elastic search.. so that both filebeat agents using the same logstash can send data to different index names.

But, [fields][index] is not working.. im unable to get the value set in filebeat..

With the below configuration the index name in created in ES cluster is [fields][index]-2017.03.23

"[@metadata][index]" => "[fields][index]" ==> not working

Logstash configs:

```
input {
  beats {
     port => "9997"
  }
}

filter {
  mutate {
    replace => {
      "[@metadata][index]" => "[fields][index]"   ===> This is not working..
    }
  }
}


output {
  elasticsearch {
     hosts => ["10.205.233.191:8089","10.205.236.248:8089","10.205.235.211:8089"]
     index => "%{[@metadata][index]}-%{+YYYY.MM.dd}"
     #document_type => "%{[@metadata][type]}"
  }
}
```

File beat -1 config:

filebeat.prospectors:
- input_type: log
  paths:
    -  <path to file>

  fields:
     index:  my_data

output.logstash:
  # The Logstash hosts
  hosts: ["localhost:9997"]

File beat -2 config:

```
filebeat.prospectors:
- input_type: log
  paths:
    -  <path to file>

  fields:
     index:  my_data_2

output.logstash:
  # The Logstash hosts
  hosts: ["localhost:9997"]
```

ruflin · March 27, 2017, 6:46am

Could you use file output to verify that the field is set on the filebeat side? (should be the case)
Could you to use fields index directly for the fields?

index => "%{[fields][index]}-%{+YYYY.MM.dd}"

Jayanna_Hallur · March 28, 2017, 4:40pm

Thanks for the reply.. But I need to put in filter as highlighted above.. When I put in the filter section, it didn't work.

But if work for if condition in the filter section..it works fine.. but not when I used it assign
e.g:
if [fields][index] == "abc" { #### ==> Works
"[@metadata][index]" => "[fields][index]" ===> This is not working..
}

steffens · March 29, 2017, 8:49am

check the syntax. I think the right hand side must be a format-string, that is "%{[field][index]}".

Jayanna_Hallur · April 4, 2017, 6:37pm

Worked. Thanks.

system · May 2, 2017, 6:37pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat fields value unable to use it in logstash configuration file Logstash	9	570	February 7, 2021
Filebeat does not set the index for logstash output even after providing index name in filebeat Beats	4	1203	December 30, 2016
How to use custom fields from filebeat in logstash? Logstash	2	4692	October 14, 2018
Fields/tag set custom fields in filebeat, but logstash gives error Beats filebeat	1	330	December 20, 2019
Best practice for setting index names when using filebeats to logstash Beats filebeat	3	2164	March 4, 2018

How to use filebeat fields name value in logstash config

Related topics