Not able to see logs in the index

I have two mutate filters created one to get all the /var/log/messages to type > security and other mutate filter to get all the logs from one kind of hosts to type > host_type.
I am not able to see the /var/log/messages in the host_type index.

Here is the filters code I am using, please help me understand what's going on here. why am I not able to see /var/log/messages in my apihost index?
I have filebeat setup on the hosts to send logs to logstash.

fileter-security.conf
filter {
if [source] =~ //var/log/(secure|syslog|auth.log|messages|kern.log)$/ {
mutate {
replace => { "type" => "security" }
}
}
}

filter-apihost.conf
filter {
if (([host.name] =~ /(?i)apihost-/) or ([host] =~ /(?i)apihost-/)) {
mutate {
replace => { "type" => "apihost" }
}
}
}

@magnusbaeck any input would be appreciated. TIA

Can you please share the pipeline.yml configuration and the input, output, and filter configuration files?

You said you cannot see /var/log/messages in host_type index, are you sending it to different index?

Try adding tags for the logs first using add_tag option whether your regex conditions are correct.

This site is really helpful for debugging regex,
regex debug

@mancharagopan thanks for your reply. Yeah I am sending them to a different index like I mentioned in my post:
filter-security.conf
filter {
if [source] =~ //var/log/(secure|syslog|auth.log|messages|kern.log)$/ {
mutate {
replace => { "type" => "security" }
}
}
}
So what I am trying to achieve is I want to see them in both my indexes : 'security' as well as 'apihost'
As I am sending /var/log/* to 'secutiry' index, I am not able to see only those logs in 'apihost' index. But I can see all other logs I am sending from apihosts to 'apihost' index. Please advice. Thanks

Actually I fixed this issue by adding a clone filter and sending data to both indexes. Just wanted to let you know @mancharagopan

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.