Make logstash filter by name

elk6 · July 16, 2020, 6:24pm

I have a log file called "/var/log/commands.log" that I'm trying to separate into fields with logstash & grok. I've got it working. Now, I'm trying to make logstash only do this to the file "/var/log/commands.log" and not any input by doing "if name = commands.log" but something with the "if" statement seems wrong as it skips over it.

    input{
    file{
    path => "/var/log/commands.log"
    }
    beats{
    port => 5044
    }
    }
    filter {
    if [log][file][path] == "/var/log/commands.log" {
    grok{
    match => { "message" => "*very long statement*"
    }
    }
    }
    }
    output{
    elasticsearch { hosts => ["localhost:9200"]}
    }

If I remove the if statement it works and the fields are visible in kibana. I'm testing things locally. Does anyone know what's going on?

Badger · July 16, 2020, 6:49pm

I think beats set [log][file][path], but a file input just sets [path]

elk6 · July 16, 2020, 8:30pm

Thank you SO MUCH! I have a follow up question if that's allowed, I'm also trying to make it read JSON logs. On another machine, I've got it working by adding the following to filebeat:

processors:
  - decode_json_fields:
      fields: ["message"]
      process_array: false
      max_depth: 1
      target: ""
      overwrite_keys: false
      add_error_key: true

Is it possible to achieve in logstash?

Badger · July 16, 2020, 9:49pm

There is a json filter that can parse json.

system · August 13, 2020, 9:50pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.