Hi I am trying to replace field "component " but not showing in output what exactly i am doing wrong . I am new to ELK. below is my logstash config.
input {
tcp {
'port' => '9563'
}
}
filter {
json {
source => 'message'
}
if [component] == "0" {
mutate {
replace => [ "component", "others" ]
}
}
if [component] == "1" {
mutate {
replace => [ "component", "datawarehouse" ]
}
}
}
output {
stdout { codec => rubydebug }
elasticsearch{ hosts => "XX.xx.xx.xx:9200" }
file {
'path' => '/tmp/output.log'
}
}
Please show an example input message.
{"timestamp":"2016-03-22 17:42:06","message":"[Start]","messageLevel":"INFO","component":1,"transactionId":0,"Project":"Datawarehouse","Database":"slave","LogClass":"DCS"}{"timestamp":"2016-03-22 17:42:06","message":"1 table(s) found","messageLevel":"INFO","component":1,"transactionId":0,"Project":"Datawarehouse","Database":"slave","LogClass":"DCS"}
The component field is apparently an integer field and not a string so your conditional needs to look like this:
if [component] == 1 {
Thank you. It worked can see in elasticsearch but can not see the component in kibana. Showing blank in as componen.
sorry my mistake i generated new index and problem solved but i want to know can i use other compression operators like (>=,<=, <,>) in filter.