If condition not working in Output

Hi,

Below is my logstash.conf file content and if condition in output and is not working,

input {
beats {
type => beats
port => 5044
host => "XX.XX.XX.XX"
}
}
filter {
multiline {
pattern => "^####"
negate => true
what => "previous"
}
}
output {
if ([fields][log_type] == "CRM") {
elasticsearch {
action => "index"
hosts => ["http://XX.XX.XX.XX:9200/"]
index => "CRM_index_%{+YYYY.MM.dd}"
document_type => "system_logs"
}
}

else{
elasticsearch {
action => "index"
hosts => ["http://XX.XX.XX.XX:9200/"]
index => "OMS_index_%{+YYYY.MM.dd}"
document_type => "system_logs"
}
}
}

-----------------------logs scanned in logstash output----------------------- Bold are the comparison parameters----------
{
"offset" => 657499,
"input_type" => "log",
"source" => "/home/nftpoc/Vi
"message" => "####<Oct 31, 20e: 'weblogic.kernel.Default (self-tu-4f has been accessed from 626396347"
"type" => "log",
"tags" => [
[0] "beats_input_codec_plain
],
"@timestamp" => 2017-11-08T10:30
"@version" => "1",
"beat" => {
"name" => "illin3922",
"hostname" => "illin3922",
"version" => "5.6.3"
},
"host" => "illin3922",
"fields" => {
"log_type" => "CRM"
}
}

---------------------filebeat.yml-------------------------------

• input_type: log
  paths: ["/home/nftpoc/Vineet/ELK/Logs/CRM/*.log"]
  fields:
  log_type: CRM

• input_type: log
  paths: ["/home/nftpoc/Vineet/ELK/Logs/OMS/*.log"]
  fields:
  log_type: OMS

You mean events end up in the OMS index when they should've ended up in the CRM index? Can you show an example of such a document (fetch it from the OMS index)?

No Events are not ending any where, no index gets created when i run the above code.
the only difference in OMS logs is in the last
"fields" => {
"log_type" => "OMS"
}

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.