`include_matches.match` has no effect with journal fields (config included)

Is this a documentation bug, or a Filebeat bug?

This is an example from the Filebeat documentation:

filebeat.inputs:
- type: journald
  id: service-vault
  include_matches.match:
    - _SYSTEMD_UNIT=vault.service

Applying include_matches.match has no effect. Messages for all units are shipped.

This seems to be the case for all journal fields. For example, _TRANSPORT=kernel has no effect either.

Using journalctl -o json, I can confirm that _SYSTEMD_UNIT is set for the unit I'm targeting (even though absence should not cause logs for all units to be shipped).

processors (e.g. when.not.regexp.message: '^iptables') does work.

Versions:

• Filebeat 7.17.29
• systemd 252 (252.38-1~deb12u1)

--

filebeat.yml:

monitoring:
  enabled: true
  cluster_uuid: <stripped>
  elasticsearch:
    username: elastic
    password: <stripped>
    hosts: ["elasticsearch-test.cyberfusion.cloud:9200"]
    protocol: https
    ssl:
      enabled: true

output.logstash:
  hosts: ["domlimev.nl:5044"]
  ssl.ssl: true

filebeat.config.inputs:
  enabled: true
  path: inputs.d/*.yml

# inputs.d/daemons.yml (only file in inputs.d/)

- type: journald
  id: ssh
  include_matches.match:
      - _SYSTEMD_UNIT=sshd.service

Hello @NominaSumpta

As per the syntax shared :

filebeat.inputs:
- type: journald
  id: service-vault
  include_matches.match:
    - _SYSTEMD_UNIT=vault.service

This is for 8.19 version =>

But since your version is 7.17.x

I see below syntax :

filebeat.inputs:
- type: journald
  id: service-vault
  include_matches:
    - _SYSTEMD_UNIT=vault.service

Could you please try this & see if it works (there is no .match)

Thanks!!

Hi @Tortoise,

You're absolutely right. No clue how I missed that. Thanks so much!