Input plugin - type not getting picked up?

jamesl · June 8, 2016, 6:34am

Hi.
Have installed filebeat on a Windows box to collect and forward logs to ELK.
On the logstash input file i have setup a seperate beats section so i can define a different type compared to my other inputs, refer winlogbeat-log01 below:
input file extract:
beats {
port => 5044
type => "beats-log01"
}
beats {
port => 5045
type => "winfilebeat-log01"
}

output file extract:
} else if [type] == "beats-log01" {
elasticsearch {
hosts => ["els02:9200","els03:9200"]
sniffing => true
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
} else if [type] == "winfilebeat-log01" {
elasticsearch {
hosts => ["els02:9200","els03:9200"]
sniffing => true
manage_template => false
index => "winfilebeat-%{+YYYY.MM.dd}"
document_type => "winfilebeat-log01"
}

My Kibana output is not picking up this new file 'type' and in my ES I am not getting a new index created (see pic).

Any pointers?

warkolm · June 9, 2016, 12:24am

Your config looks ok, but it doesn't look like the type is in the doc at all. What if you add a stdout to see what is happening.

jamesl · June 10, 2016, 1:38am

Hi, tried that but nothing is coming up in either /var/log/syslog or /var/log/logstash/logstash.log
Tried both stdout { codec => json } and stdout { codec => rubydebug }

} else if [type] == "winfilebeat-log01" {
elasticsearch {
hosts => ["els02:9200",":9200"]
stdout { codec => json }
sniffing => true
manage_template => false
index => "winfilebeat-%{+YYYY.MM.dd}"
document_type => "winfilebeat-log01"
}