I need make multiple input in logstash and then multiple output.
I have this configuration and I need if the events in on port 5055 tag with "docker" and then add a field and output to elasticsearch.
The command tags => [ "docker" ] , not work the event still show the tag "tags":["beats_input_codec_plain_applied"]
input {
beats {
port => 5044
id => "comex"
}
beats {
port => 5055
tags => [ "docker" ]
}
}
filter {
if "docker" in [tags] {
mutate { add_field => { "message_aux" => "docker" } }
}
}
output {
if "docker" in [tags] {
elasticsearch {
hosts => ["127.0.0.1:9200"]
index => "docker2"
}
}
elasticsearch {
hosts => ["127.0.0.1:9200"]
index => "comex-%{+YYYY.MM.dd}"
}
file {
path => "/tmp/logstash.txt"
}
}
This in one of the events output.
{"count":1,"message":"[api-accounts.2.vlwxdyvzh1tzs2y3ka0x19u01] \u0001\u0000[api-accounts.2.vlwxdyvzh1tzs2y3ka0x19u01] \u0000[api-accounts.2.vlwxdyvzh1tzs2y3ka0x19u01] ","input_type":"stdin","fields":null,"@timestamp":"2018-02-16T15:51:56.451Z","tags":["beats_input_codec_plain_applied"],"offset":151155522,"beat":{"hostname":"e080a9066ea7","name":"docker01.bbva.internal"},"source":"-","type":"filebeat-docker-logs","host":"e080a9066ea7","@version":"1"}
also I probe with
beats {
port => 5055
add_field => {
"origen" => "docker"
}
}
and does not work.
This a bug ? How can I do this?
Thanks.