Logstash filter conditionals

Elastic Stack Logstash
1

Hi there,
I have 2 simple questions reagarding this logstash conditionals example.
I have found something like this:
...
if [fields][some_id] {
mutate {
add_field => {"some_id" => "%{[fields][some_id]}"}
}
}
...

  1. Here I have a conditional but nothing it is compared too - a bit strange. Does it mean: If some_id has a key and therefore true? It would say: If the field some_id does exist, then add this field?? It does not make much sense to me. But this example does work. Would you please explain it to me.

  2. This fields is it a a common field / or a fixed, existing object? Since [fields] was not defined anywhere else in that conf file.
    Thank you and kind regards!

2
  1. Yes. It checks if the field exists because otherwise the new field would get the value "%{[fields][some_id]}" if the field doesn't exist. (One could also use the copy option of mutate for this task to avoid a wrong result.)
  2. Does the data maybe come from filebeat? The default for fields that are added with filebeat is fields: https://www.elastic.co/guide/en/beats/filebeat/current/add-fields.html
    In general a field that you didn't define in your Logstash filters (except @timestamp and @version) must come from your input data. Either as part of the original data or additional information that has been added by the input plugin.
3

Hello Jenni,
thank you very much - very interesting comment! Regarding your second point:
Yes, there is a beat input defined too in the logstash config like this:
...
beats {
port => 5044
add_field => { "[@metadata][datatype]" => "beat" }
}
...
That is why this definition in the filter also works:
...
if [@metadata][beat] == "filebeat"...
...
Great, thanks!

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.