I was not able to see tags what ever i passed in fileter "add_tag" i can see tag what i was passing in filebeat "beat"
input {
beats {
port => 5044
tags => [ "beat" ]
}
}
filter{
if "beat" in [tags] {
if [type] == "controller" {
if "|ERROR|" in [message]{
grok { match => { "message" => "%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:ERROR} %{GREEDYDATA:message}" }
add_tag => [ "controller","ERROR" ]
}
}
if "|DEBUG|" in [message]{
grok { match => { "message" => "%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:ERROR} [%{DATA:class}]:%{GREEDYDATA:message}" }
add_tag => [ "controller","DEBUG" ]
}
}
if "|TRACE|" in [message]{
grok { match => { "message" => "%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:ERROR} [%{DATA:class}]:%{GREEDYDATA:message}" }
add_tag => [ "controller","TRACE" ]
}
}
if "|INFO|" in [message]{
grok { match => { "message" => "%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:ERROR} [%{DATA:class}]:%{GREEDYDATA:message}" }
add_tag => [ "controller","INFO" ]
}
}
if "|WARN|" in [message]{
grok { match => { "message" => "%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:ERROR} [%{DATA:class}], %{GREEDYDATA:message}" }
add_tag => [ "controller","WARN" ]
}
}
}
}
}
output {
if [tag] == "beat" {
elasticsearch {
action => "index"
hosts => "es.amazonaws.com:80"
index => "logs"
}
stdout { codec => rubydebug }
}
}
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.