If condition not working in logstash output

Elastic Stack Logstash
1

Here is my logstash config file, the issue is logstash not forwarding logs to all outputs, only 2 outputs are working

 output {
  if [fields][component] == "cat" {
  file {
    path => "/data/cat/cat.%{+yyyy.MM.dd}"
  }
}
 else if [fields][component] == "idt256" {
  file {
    path => "/data/idt256/idt256.%{+yyyy.MM.dd}"
  }
}
  else if [fields][component] == "idt512" {
  file {
    path => "/data/idt512/idt512.log.%{+yyyy.MM.dd}"
  }
}
  else if  [fields][component] == "ida" {
  file {
    path => "/data/ida/ida.log.%{+yyyy.MM.dd}"
  }
}

    elasticsearch {
    hosts => ["https://node1:9200"]
    user => 'elastic'
    cacert => '/opt/elasticsearch/ca/ca.crt'
    password => 'password'
    manage_template => false
    index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"

  }
}

the first and last (cat&ida) output is working , remaining not can anyone please suggest what's wrong in if condition?

2

Please look in Elasticsearch for an example document that didn't reach its intended file. Show it to us. You can e.g. copy/paste from Kibana's JSON tab so you get the raw event.

3

@magnusbaeck Thanks for response, if you observe in my logstash output there five different outputs, 3 are working but 2 are not working? that's my problem, I am getting all the logs into kibana .

4

Yes, I understand what the problem is. Please just answer my question.

5

@magnusbaeck {
"_index": "filebeat-2018.08.23",
"_type": "doc",
"_id": "4GdyZmUBcoO0sqzqu8Ao",
"_version": 1,
"_score": null,
"_source": {
"@timestamp": "2018-08-23T11:01:53.613Z",
"message": "2018-08-23T11:01:45.475Z\tINFO\t[monitoring]\tlog/log.go:124\tNon-zero metrics in the last 30s\t{"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":50070,"time":50073},"total":{"ticks":239070,"time":239081,"value":239070},"user":{"ticks":189000,"time":189008}},"info":{"ephemeral_id":"9f45d31b-1b85-49b3-982b-5075b4163934","uptime":{"ms":463500053}},"memstats":{"gc_next":8590496,"memory_alloc":6183448,"memory_total":65102754368}},"filebeat":{"events":{"added":1,"done":1},"harvester":{"open_files":1,"running":1}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"acked":1,"batches":1,"total":1},"read":{"bytes":35},"write":{"bytes":764}},"pipeline":{"clients":1,"events":{"active":0,"published":1,"total":1},"queue":{"acked":1}}},"registrar":{"states":{"current":10,"update":1},"writes":1},"system":{"load":{"1":0.28,"15":0.08,"5":0.2,"norm":{"1":0.0175,"15":0.005,"5":0.0125}}}}}}",
"fields": {
"component": "idt.256"
}
},
"fields": {
"@timestamp": [
"2018-08-23T11:01:53.613Z"
]
},
"highlight": {
"fields.component": [
"@kibana-highlighted-field@idt@/kibana-highlighted-field@.@kibana-highlighted-field@256@/kibana-highlighted-field@"
]
},
"sort": [
1535022113613
]
}

here is my json output from kibana, can you please correct me on if condition

6

This document's [fields][component] field contains idt.256 but your conditional says idt256.

7

@magnusbaeck thanks for guiding me, it worked for me, one question, I want to configure multiple outputs in logstash, logstash should export all logs to elasticsearch and as well as text files also. how can i implement that ?

8

Just list multiple outputs in your output { ... } block. One elasticsearch output and one file output, for example.

9

okay got it. Thank you Have a good day.

10

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.