Hi im trying to get at logstash filter to fire based on one of the fields or tag instead of type. the reason being that i have multible types of beats coming in (winlogbeat and filebeat) i thought it would be easy peasy to get that done....
here are the config im trying. I've used the grok tester homepage to build the grok filter and this works - at least according to the grok test site
filebeat config
filebeat.prospectors:
- type: log
enabled: true
paths:- /var/log/network.log
everything goes into elastic like a champ
logstash config - filter config section for network, ive tried several variations based on different posts to get the IF statement to work but no luck,
filter {
cisco switch
if ([fields]["beat.name"] == "network") {
grok {
break_on_match => true
match => { "message" => "%{CISCOTIMESTAMP:syslog_host_timestamp}%{SPACE}%{IP:ciscohost}%{SPACE}%{INT}%{PROG} 2061950: %{CISCOTIMESTAMP:cisco_host_time}: %{GREEDYDATA:cisco_message}"
}
}
}