"host.ip" is at "_source" displayed on Kibana.
Please teach me how to resolve.
logstash config
input {
beats {
port => 5044
}
}
filter {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:Time} %{HOSTNAME:Hostname} %{GREEDYDATA:Message}" }
}
date {
match => [ "Time", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
target => "Time"
}
}
output {
elasticsearch {
hosts => "<elasticsearch ip address>:9200"
index => "server_log"
}
}
In the filter section you could use
if [host][ip] != "10.197.218.10" { drop {} }
If the field actually has a period in the name then that would be
if [host.ip] != "10.197.218.10" { drop {} }I tried both.
but, elasticsearch couldn't receive log from host of 10.197.218.10.
Config is below.
filter {
if [host][ip] != "10.197.218.10" { drop {} }
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:Time} %{HOSTNAME:Hostname} %{GREEDYDATA:Message}" }
}
date {
match => [ "Time", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
target => "Time"
}
}
filter {
if [host.ip] != "10.197.218.10" { drop {} }
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:Time} %{HOSTNAME:Hostname} %{GREEDYDATA:Message}" }
}
date {
match => [ "Time", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
target => "Time"
}
}
"_source" field is auto generated by system of elastic.
"message" field haven't host.ip.
It looks like beats add [host][ip] as an array of IP addresses, so you need an array membership test...
if "10.197.218.10" not in [host][ip] { drop {} }
Just resolved.
Thank you.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.