Logstash query to elastic

FDO · September 10, 2020, 4:27pm

I use https://www.elastic.co/guide/en/logstash/current/plugins-filters-elasticsearch.html

For end event I trying to find data from first event

          if [url] {
        elasticsearch {
          hosts => ["${ES_node01}"]
          index => "logstash-mikrotik-*"
          user => "${es_login}"
          password => "${ES_pwd}"
          sort => "@timestamp:desc"
          query => 'vpn_ip:"[src_ip]" and tags:"VPN" and action:"logged in"'
          fields => { "login" => "vpn_possible_login" }
          docinfo_fields => {
            "_id" => "document_id"
            "_index" => "document_index"
            # "login" => "vpn_possible_login"
          }
        }

But as result I retrived

event even with wrong action field
same wrong result for different src_ip

What is the mistake in query?

system · October 8, 2020, 4:27pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Elasticsearch filter plugin Logstash	1	479	September 7, 2017
Failed to query elasticsearch for previous event Logstash	1	1784	July 6, 2017
Elasticsearch filter plugin and winlogbeat Logstash	2	207	June 25, 2021
ElasticSearch filter plugin "Failed to parse query" Was Expecting TO Logstash	2	573	October 24, 2020
Logstash Elasticsearch filer query to filter data from existing data Logstash	2	215	December 14, 2021

Logstash query to elastic

Related Topics