There are many ways you could do. You can either do a if/else condition in output or within filter.
I tend to do mostly within filter as it will be cleaner and modular
So an example would be
input {
pipeline {
address => os_nix_syslog_pipeline
}
}
filter {
grok {
match => {
message => "%{SYSLOG5424LINE}"
}
}
if "syslog5424_host" == '127.0.0.1' {
mutate {
add_field => { "myhost" => "localhost" }
}
} else {
mutate {
add_field => { "myhost" => "unknown" }
}
}
}
output {
elasticsearch {
hosts => "http://localhost:9200"
user => "elastic"
password => "changeme"
index => "os_%{myhost}-%{+YYYY.MM}"
}
}
The idea here is
- Get the input from a pipeline or log. In this example, it is a linux_syslog
- Grok to get the linux_syslog paramters
- if the syslog_host is
127.0.0.1, its localhost and add a field called "myhost". If anything else, it is "unknown" - Just pump the output based on that field