Logstash tags conditional issue

a.sailor · March 7, 2019, 4:16pm

Hi all,
i'm trying to accomplish one very simple thing, but i'm now stuck.
This is my basic logstash pipeline:

input {
beats {
port => 5044
 }
 }

### FILTER SECTION ###

filter {

if "cms-access" in [tags] {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{DATA:app} %{GREEDYDATA:address} %{IP:ip} - - %{NUMBER:response} %{GREEDYDATA:request} %{QS:agent}" }
}
}
}


output {

if "cms-access" in [tags] {

        elasticsearch {
                    hosts => ["es_data1", "es_data2"]
                    index => "logstash-cms-access-%{+YYYY.MM.dd}"

         }
    }
}

But, obviously, nothing is ingested in Elasticsearch (i tried without if condition and it works).
Thanks

Badger · March 7, 2019, 5:44pm

It works without the conditional? What does the tags field look like in elasticsearch when it works? (Or Kibana on the JSON tab.)

a.sailor · March 8, 2019, 8:20am

Hi Badger,

thanks for your reply.
Without conditional it works and it set tag according to filebeat.

I set the tag in Filebeat, so:

- type: log
  enabled: true
  tags: ["cms-access"]
  paths:
     - /logs/httpd/**/cms_com/access

Badger · March 8, 2019, 1:02pm

What does the tags field look like in the JSON tab in Kibana when you remove the conditional?

system · April 5, 2019, 1:02pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.