Question on Fields created in Filebeat and matched in Logstash Input

Elastic Stack Logstash
1

This may be a theoretical question, I am trying to configure my filebeat to send the logs to logstash. Here is the config:

  • input_type: log
    paths:
    • /prod/logs/chassis/tomcat/app*.log
      #- c:\programdata\elasticsearch\logs*
      fields:
      index: app_mon
      source: tomcat_app
      aws_region: coaf_dev_east

My question is , can we use the fields created in the filebeat.yml to filter out in the Logstash config input section?

For ex: in the above config, i have defined source : tomcat_app , can i use the same field in the logstash input like below:

input {
file {
path => /prod/logs/chassis/tomcat/app*.log
source => tomcat_app
}

filter {

   if [source == tomcat_app]
      grok {

      {message => somegrokfilter}

       }

}

Output {

ES
}

So is the field SOURCE in filebeat.yml and logstash config file are same? Do the fields work this way?

2

My question is , can we use the fields created in the filebeat.yml to filter out in the Logstash config input section?

Yes, of course.

if [source == tomcat_app]

The idea is correct but the syntax is wrong. See Accessing event data and fields | Logstash Reference [8.11] | Elastic.

1 Like
3

Thanks Magnus. Found the correct syntax.

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.