Not able to get Source filename in the logstash output

Ramesh_Perumal · December 29, 2022, 4:45am

Hi,

We are using filebeat 7.10.2 and logstash 8.10.4. Filebeat transfer the files from Machine A (Filebeat) to Machine B (Logstash) and Logstash writes the same in machine B's path (/va/pm/sfile/%{hostname}/%{[log][file][name]})

Below are the logstash.conf
filter {
dissect {
mapping => {
"[log][file][path]" => "/ar/log/sa/pm/%{[log][file][name]}"
}
mapping => {
"[log][file][path]" => "/ar/log/ng/pm/reports/%{[log][file][name]}"
}
}
}
output {
file {
path => "/car/reports/files/%{hostname}/%{[log][file][name]}"
"dir_mode" => 0640
"file_mode" => 0640
}
}

Logstash writes the file with the name as %{[log][file][name]} and it is not replacing the actual source file name.

Please share your expertise to resolve this.

Regards,
Ramesh P

Badger · December 29, 2022, 5:34pm

The mapping option of a dissect filter is a hash, so if you specify the same entry twice then one will overwrite the other. If the /ar/log/sa/ entry is overwritten by the /ar/log/ng entry then files from /ar/log/sa/ will not be parsed. They will get a _dissectfailure tag and the [log][file][name] field will not exist, so it will not get substituted.

The documentation says that you may need a conditional to determine whether to apply a particular dissect to a field.

Ramesh_Perumal · December 30, 2022, 10:57am

Thanks, Badger. It is working now

system · January 27, 2023, 10:57am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.