If clause seems not to be working

Kernel_Panic · November 21, 2016, 5:09pm

Hi guys.
I'm just wanting to log different event to different indexes and I'm trying to achieve it by using tags.

input {
  udp {
    port => 25826
    type => "collectd"
    buffer_size => 1452
    codec => collectd { }
  }
}


input {
    udp {
      port => 5514
      codec => "json"
      type => "sensu"
      tags => "sensu"
  }
}

Output Filter:

output {
  if [@metadata][beat] {
    elasticsearch {
      hosts => ["server"]
      sniffing => true
      manage_template => false
      index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
      document_type => "%{[@metadata][type]}"
    }
  } else {
    elasticsearch {
      hosts => ["server"]
      sniffing => true
      manage_template => false
      index => "collectd-%{+YYYY.MM.dd}"
      document_type => "collectd"
    }
  }
}

Separate filter for sensu:

output {
   if "sensu" in [tags] {
elasticsearch {
  hosts => ["server"]
  sniffing => true
  manage_template => false
  index => "sensu-%{+YYYY.MM.dd}"
  document_type => "sensu"
  }
 }
}

When I restart the service I cannot see the data anymore in sensu index, if I remove the if clouse if works , what' wrong, I've already define the tag sensu in the input filter, doesn't it work that way?

What am I doing wrong?
Thanks in advance

Andrew_Cholakian1 · November 22, 2016, 12:13am

Can you try inserting as an output stdout { codec => rubydebug }.? That will show you the full event data and let us see if the sensu tag is being deleted somehow. Could a filter be mangling it somewhere?

Kernel_Panic · November 22, 2016, 8:31pm

Hi Andrew,
Yeah, there was a filter that was the culprit, now I'm able to send the data to separate indexes including sensu

I left the beat output like this:

output {
  if [@metadata][beat] {
    elasticsearch {
      hosts => ["server"]
      sniffing => true
      manage_template => false
      index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
      document_type => "%{[@metadata][type]}"
    }
  }
}

Created a new one for collectd:

output {
    if "collectd" in [tags] {
    elasticsearch {
      hosts => ["server"]
      sniffing => true
      manage_template => false
      index => "collectd-%{+YYYY.MM.dd}"
      document_type => "collectd"
    }
  }
}

And this one for sensu:

output {
    stdout { codec => rubydebug }
    if "sensu" in [tags] {
    elasticsearch {
      hosts => ["server"]
      sniffing => true
      manage_template => false
      index => "sensu-%{+YYYY.MM.dd}"
      document_type => "sensu"
     }
    }
  }

Now I can see in the logs:

 "last_ok" => 1479846616,
                 "silenced" => false,
              "silenced_by" => [],
                 "@version" => "1",
               "@timestamp" => "2016-11-22T20:30:16.382Z",
                     "tags" => [
        [0] "sensu"
    ],
                     "host" => "x.x.x.x"
}

Thank you very much for your time and support
Regards

Topic		Replies	Views
[SOLVED] Elasticsearch output filter by tags... now failing when on new indices Logstash	2	7189	July 6, 2017
How to push same document into multiple indexes? Logstash	7	3363	September 19, 2018
Logstash Config Issues Logstash	2	520	July 6, 2017
Event routing to indexes not working Logstash	3	354	August 28, 2020
LS - elasticsearch output conditionals Logstash	3	1111	July 6, 2017

If clause seems not to be working

Related topics