Logstash conditional for nested field

rmac · May 8, 2018, 5:09pm

I understand in Logstash you can access nested fields, for example like this in a filter block

 mutate {
    replace => { "timestamp" => "%{timestamp} %{[beat][timezone]}" }
 }

However I seem to be unable to access the field "fileset.module" like this in an output block:

if  [fileset][module] == "osquery" {
  elasticsearch {
      hosts => [ "192.168.x.x", "192.168.y.y" ]
      index => "osquery-%{+YYYY.MM.dd}"
      }
}

The events I'm pushing into logstash from filebeat never end up in the index I'm attempting to create here, though the field does definitely exist.
Anyone know what I may be doing wrong?

magnusbaeck · May 8, 2018, 7:31pm

There's nothing wrong with the syntax. What does an example event look like?

rmac · May 11, 2018, 5:05pm

This was due to user error, sorry for wasting your time. Filebeat wasn't configured properly. I had multiple hosts shipping stuff in, but the one host that wasn't had an incorrect filebeat config. Thought configs were identical but I made a mistake.

system · June 8, 2018, 5:19pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.