If condition in logstash filter - not working

gogularaja.sr · January 17, 2019, 7:08am

input {
beats{
port => 5044
}
}

########################################################################

filter {
if [prospector.type] == "log" {
}
}

################################################################

output{
if [prospector.type] == "log" {
elasticsearch {
hosts => ["localhost:9200"]
index => "loglinux"
}
}
}

I am using this above filter, but it is not working.

My Filebeat version : 6.5
My Logstash version : 6.5.4

A_B · January 17, 2019, 7:40am

At least one thing you need to do is to separate the key levels with square brackets like this example from my Logstash config

  if [fields][index_type] == "postfix-maillog" {

So if [prospector.type] == "log" {
should be if [prospector][type] == "log" {

gogularaja.sr · January 17, 2019, 8:42am

Ok Thanks. It works.

May i know, how to define multiple prospector type in filebeat configuration.

My Filebeat config.

filebeat.inputs:

type: log
enabled: true
paths:
- /var/log/auth.log

If i change the name of "type: log", it is throwing the error message. And unable to restart the filebeat service.

A_B · January 17, 2019, 8:50am

The documentation is quite good

prospector is deprecated. They are called input in later versions of Filebeat, just FYI.

What type are you trying to configure?

gogularaja.sr · January 17, 2019, 10:32am

I am trying to configure like this in filebeat,

filebeat.inputs:

type: log_one
enabled: true
paths:
- /var/log/auth1.log
type: log_two
enabled: true
paths:
- /var/log/auth2.log

But it is not working.
Also need to know, how to configure "if-condition" for this in logstash.

A_B · January 17, 2019, 10:44am

Looks like type is not what you expect Did you read the documentation link I posted?

What you need to do is something like

filebeat.inputs:
- type: log
  paths:
    - /var/log/auth1.log
  fields:
    log_type: auth1
  fields_under_root: true
- type: log
  paths:
    - /var/log/auth2.log
  fields:
    log_type: auth2
  fields_under_root: true

This will create field log_type for all records with value auth1for the first input and value auth2for the second input.

gogularaja.sr · January 17, 2019, 10:52am

Ok Thanks a lot.

It works....

system · February 14, 2019, 10:55am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash to process multiple events sent from Filebeat Logstash	8	2149	July 6, 2017
Manage multiple beats on a single Logstash instance Logstash	5	3950	July 6, 2017
How to filter Filebeat input in Logstash from different log? Logstash	2	2989	October 12, 2018
Can't use type in logstash conf file Logstash	3	438	May 3, 2017
"document_type" on filebeat & "if" and "type" on logstash are not working Logstash	3	4188	April 12, 2017

If condition in logstash filter - not working

Related topics