If clause seems not to be working

Kernel_Panic · November 21, 2016, 5:09pm

Hi guys.
I'm just wanting to log different event to different indexes and I'm trying to achieve it by using tags.

input {
  udp {
    port => 25826
    type => "collectd"
    buffer_size => 1452
    codec => collectd { }
  }
}


input {
    udp {
      port => 5514
      codec => "json"
      type => "sensu"
      tags => "sensu"
  }
}

Output Filter:

output {
  if [@metadata][beat] {
    elasticsearch {
      hosts => ["server"]
      sniffing => true
      manage_template => false
      index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
      document_type => "%{[@metadata][type]}"
    }
  } else {
    elasticsearch {
      hosts => ["server"]
      sniffing => true
      manage_template => false
      index => "collectd-%{+YYYY.MM.dd}"
      document_type => "collectd"
    }
  }
}

Separate filter for sensu:

output {
   if "sensu" in [tags] {
elasticsearch {
  hosts => ["server"]
  sniffing => true
  manage_template => false
  index => "sensu-%{+YYYY.MM.dd}"
  document_type => "sensu"
  }
 }
}

When I restart the service I cannot see the data anymore in sensu index, if I remove the if clouse if works , what' wrong, I've already define the tag sensu in the input filter, doesn't it work that way?

What am I doing wrong?
Thanks in advance

Andrew_Cholakian1 · November 22, 2016, 12:13am

Can you try inserting as an output stdout { codec => rubydebug }.? That will show you the full event data and let us see if the sensu tag is being deleted somehow. Could a filter be mangling it somewhere?

Kernel_Panic · November 22, 2016, 8:31pm

Hi Andrew,
Yeah, there was a filter that was the culprit, now I'm able to send the data to separate indexes including sensu

I left the beat output like this:

output {
  if [@metadata][beat] {
    elasticsearch {
      hosts => ["server"]
      sniffing => true
      manage_template => false
      index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
      document_type => "%{[@metadata][type]}"
    }
  }
}

Created a new one for collectd:

output {
    if "collectd" in [tags] {
    elasticsearch {
      hosts => ["server"]
      sniffing => true
      manage_template => false
      index => "collectd-%{+YYYY.MM.dd}"
      document_type => "collectd"
    }
  }
}

And this one for sensu:

output {
    stdout { codec => rubydebug }
    if "sensu" in [tags] {
    elasticsearch {
      hosts => ["server"]
      sniffing => true
      manage_template => false
      index => "sensu-%{+YYYY.MM.dd}"
      document_type => "sensu"
     }
    }
  }

Now I can see in the logs:

 "last_ok" => 1479846616,
                 "silenced" => false,
              "silenced_by" => [],
                 "@version" => "1",
               "@timestamp" => "2016-11-22T20:30:16.382Z",
                     "tags" => [
        [0] "sensu"
    ],
                     "host" => "x.x.x.x"
}

Thank you very much for your time and support
Regards

system · December 20, 2016, 8:31pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
If/CSV Filter not working Logstash	2	364	October 15, 2018
[SOLVED] Elasticsearch output filter by tags... now failing when on new indices Logstash	2	7156	July 6, 2017
Logstash "if statement" not working for logs from winlogbeat 7.13.2 (works on older version) Logstash	1	297	September 9, 2021
Logstash Syntax Error Logstash	7	1090	December 11, 2016
If conditional not working Logstash	6	325	November 26, 2019

If clause seems not to be working

Related topics