Below is my input message to logstash
{
"object2": "",
"headers": {
"request_path": "/",
"request_method": "POST",
"http_accept": "*/*",
"content_type": "application/json; charset=utf-8",
"http_version": "HTTP/1.1",
"http_user_agent": null,
"content_length": "859",
"http_host": "XXXXXXXXXXXXX"
},
"host": "xxxxxxx",
"logger_name": "awx.analytics.activity_stream",
"summary_fields": {
"actor": {
"username": "xxx.xxx@xxx.com",
"first_name": "xxx",
"id": 999,
"last_name": "xxx"
},
"credential": [{
"kind": "ssh",
"cloud": false,
"credential_type_id": 1,
"description": "test sr_xxx for activity streams 44671112213",
"kubernetes": false,
"name": "xx_xxx_test",
"id": 999
}]
},
"@version": "1",
"@timestamp": "2021-05-31T10:02:20.745Z",
"level": "INFO",
"cluster_host_id": "xxxxxxxxxx",
"message": "Activity Stream update entry for xxxxxxxx",
"stack_info": null,
"operation": "update",
"actor": "xxx@xxx.com",
"changes": {
"description": ["test sr_xxx for activity streams 4144671112213", "test sr_xxx for activity streams 44671112213"]
},
"object1": "credential",
"relationship": "",
"tower_uuid": null
and below is my logstash config
input {
http {
port => 5000
codec => json
ssl => true
ssl_certificate_authorities => "/etc/ssl/elastic/elastic.crt"
ssl_certificate => "/etc/ssl/elastic/elastic.crt"
ssl_key => "/etc/ssl/elastic/elastic.key"
ssl_verify_mode => "peer"
}
}
output {
elasticsearch {
hosts => ["xxx.xxx.xxx.xxx:9200"]
}
stdout { codec => rubydebug }
#stdout { codec => json }
if [changes][description] =~ /test sr_xxx for activity streams/ {
file { path => "/tmp/sr_output.txt" }
}
}
I expect the input message to be written to the file /tmp/sr_output.txt but it's not being written.
Any idea as to why?