NEW to ELK: using conditionals in filter

hAh0L13 · September 9, 2019, 5:21am

Hello. Stuck in configuring pipeline. My filebeat agent send apache_access logs with "fields.type = apache_access" option:

 filebeat.inputs:
 - type: log
   enabled: true
   paths:
     - D:\log\apache\access-*.log
   fields:
     type: apache_access

My conditions in filter section of Logstash pipeline isn't working. I try

if [type] == "apache_access"
if [fileds.type] == "apache_access"
if "apache_access" in [_source.fields.type]
if "apache_access" in [fields.type]

Without "if" statement, grok filter for HTTPD_COMMONLOG works perfectly. Without - no error and no filter in Kibana:

Kibana JSON

{
"_index": "xxx-2019.09.09",
"_type": "doc",
"_id": "6apiFG0BnV6XU8Emsk4W",
"_version": 1,
"_score": null,
"_source": {
"message": "10.22.11.10 - - [09/Sep/2019:12:57:53 +0800] "GET /yyy/public/images/logo-xxxx.png HTTP/1.1" 304 -",
"@timestamp": "2019-09-09T04:57:54.264Z",
"ecs": {
"version": "1.0.1"
},
"host": {
"name": "xxxx"
},
"tags": ,
"input": {
"type": "log"
},
"fields": {
"type": "apache_access"
},
"@version": "1",
"agent": {
"version": "7.3.1",
"ephemeral_id": "c37a231e-2534-47c7-8883-5eb592b7e844",
"hostname": "xxxx",
"id": "ea151f77-6c61-487b-b28f-35e0686f58f7",
"type": "filebeat"
},
"log": {
"file": {
"path": "D:\log\apache\access-2019-09-09.log"
},
"offset": 57684
}
},
"fields": {
"@timestamp": [
"2019-09-09T04:57:54.264Z"
]
},
"sort": [
1568005074264
]
}

Whats's wrong with conditional? How can I separate logs - my goal is send several types of logs (apache, mysql, some other software) by one filebeat with different fields.type option and filtering in logstash pipeline with input - beats

Tek_Chand · September 9, 2019, 5:36am

@hAh0L13, The below pattern should work:

if [type] == "application_log"

You need to define this if condition in output filter also in logstash.

Thanks.

hAh0L13 · September 9, 2019, 5:45am

My logstash config:

logstash.conf

input {
beats {
port => 5044
}
}

filter {
if [type] == "apache_access" {
grok {
match => { "message" => ["%{HTTPD_COMMONLOG}", "%{HTTPD_COMBINEDLOG}"] }
}
date {
match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
}
mutate {
add_tag => ["apache_access"]
}
}
if "beats_input_codec_plain_applied" in [tags] {
mutate {
remove_tag => ["beats_input_codec_plain_applied"]
}
}
}

output {
elasticsearch {
hosts => ["http://localhost:9200"]
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
}
}

I expect "true" in conditional, then grok "message" + retrieve timestamp with data + adding tag with mutate. And for all cases delete standart tag. Now it only delete standart tag. If i delete IF statement, it works fine.

@Tek_Chand, where is "application_log" in my message from filebeat? I should replace fields.type in filebeat config from "apache_access" to "apache_log"?

Tek_Chand · September 9, 2019, 5:56am

@hAh0L13,

application_log is just for reference you can change it as per your settings.

In your logstash configuration you have used if condition but didn't used else. But you need to use else also.

Your configuration should be look like below:

input {
  beats {
    port => 5044   
  }
}
filter {
if [type] == "apache_access" {
grok {
match => { "message" => ["%{HTTPD_COMMONLOG}", "%{HTTPD_COMBINEDLOG}"] ] }
}
date {
      date {
match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
}
mutate {
add_tag => ["apache_access"]
   }
}
else {
grok {
match => { "message" => [ "(?<date-time>[\w\s\d\:]+)\s(?<IP>192.168.50.1)\s(?<port>582)\:\s(?<message>.*)" ] }
}
}
}
output {
  if [type] == "apache_access"
  elasticsearch {
    hosts => ["10.133.58.12:9200"]
    sniffing => true
    manage_template => false
#    index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
#    index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
    index => "application-%{+YYYY.MM.dd}"
    document_type => "%{[@metadata][type]}"
  }
}
else
  {
elasticsearch {
    hosts => ["10.133.58.12:9200"]
    sniffing => true
    manage_template => false
#    index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
    index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
    document_type => "%{[@metadata][type]}"
}
}
}

Above configuration is for your help it may will not work at your end. You may need to make changes at your end as per your detail and configuration like index name, IPs etc.
Thanks.

hAh0L13 · September 9, 2019, 6:27am

Ok. I think found solution - adding "fields_under_root: true" option to filebeat let me use "if [type] == "application_log"" conditional. Maybe using sub-dictionary fields in conditionals is forbidden?

Tek_Chand · September 9, 2019, 6:31am

@hAh0L13,

Yes, you need to set above setting in your filebeat.yml.

Thanks.

Badger · September 9, 2019, 10:52am

No, it is not forbidden, but the syntax to reference a sub-field in logstash is [fields][type]. [fields.type] would reference a field that contains a period in its name.

system · October 7, 2019, 11:04am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Conditional filtering not working in logstash Logstash	13	5505	March 6, 2019
Using conditionals to decide which logs to filter Logstash	3	346	October 3, 2019
Condition on filename in the path Logstash	3	2737	June 21, 2019
Logstash tags conditional issue Logstash	4	271	April 5, 2019
Integer comparison not working Logstash	4	490	August 20, 2020

NEW to ELK: using conditionals in filter

Related topics