Multiple Filebeat inputs with logstash output

steffens · August 28, 2018, 7:35pm

There might be a many issue. The most obvious issue I see are:

 if [tag] == "TE" {
   ...
}

The Field [tag] does not even exist. => The grok filter will never be executed because if this condition.

else  if [tag] == "TMRS" {
    ...
}

Same, [tag] does not exist.

But you are writing tags. That changing condition to if "TE" in [tags] or if [fields][log_type] == "te" should fix the conditions.

output {
  elasticsearch {
    hosts => ["192.168.0.159:9200"]
    manage_template => false
    index => "%{tag}-index"
  }
}

The index setting is wrong because:

field tag does not exist
syntax is wrong. For field access it should say index => "%{[tag]}-index"
if you were to use tags, this would not be a string, but a list, generating an invalid index name

As you already have fields.log_type configured in filebeat, I assume you want:

output {
  elasticsearch {
    hosts => ["192.168.0.159:9200"]
    manage_template => false
    index => "%{[fields][log_type]}-index"
  }
}

Please note, index names without timestamp are not recommended. You will have a hard time to delete old data when you are about to run out of disk space.

Having log_type, I don't see why you need to configure tags in filebeat, but it doesn't really hurt to do so.

No idea about the grok and kv filters. I'm no grok debugger, but have you tried a grok debugger like the one that comes with kibana?

Topic		Replies	Views
Multiple input filebeat to logstash Logstash	2	323	May 26, 2020
Filebeat cant send data to logstash Beats filebeat	11	4601	February 20, 2018
Filebeat multiple input and multiple output indices Beats filebeat	3	3103	November 26, 2020
Logstash-multiple inputs one output problem Logstash	4	2205	August 1, 2018
FileBeats to Logstash Logstash	5	859	August 24, 2017

Multiple Filebeat inputs with logstash output

Related topics