Logstash conditional for nested field

rmac · May 8, 2018, 5:09pm

I understand in Logstash you can access nested fields, for example like this in a filter block

 mutate {
    replace => { "timestamp" => "%{timestamp} %{[beat][timezone]}" }
 }

However I seem to be unable to access the field "fileset.module" like this in an output block:

if  [fileset][module] == "osquery" {
  elasticsearch {
      hosts => [ "192.168.x.x", "192.168.y.y" ]
      index => "osquery-%{+YYYY.MM.dd}"
      }
}

The events I'm pushing into logstash from filebeat never end up in the index I'm attempting to create here, though the field does definitely exist.
Anyone know what I may be doing wrong?

magnusbaeck · May 8, 2018, 7:31pm

There's nothing wrong with the syntax. What does an example event look like?

rmac · May 11, 2018, 5:05pm

This was due to user error, sorry for wasting your time. Filebeat wasn't configured properly. I had multiple hosts shipping stuff in, but the one host that wasn't had an incorrect filebeat config. Thought configs were identical but I made a mistake.

system · June 8, 2018, 5:19pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash filter conditionals Logstash	3	408	August 26, 2020
Logstash Conditional Indexes Logstash	5	4332	March 29, 2019
Conditional index in output Logstash	1	737	July 11, 2020
Conditionals with nested fields in logstash not working Logstash	3	687	December 4, 2020
How to configure conditional input-output from Filebeats Logstash	11	4768	September 4, 2018

Logstash conditional for nested field

Related topics