Question on Fields created in Filebeat and matched in Logstash Input

shroh · August 3, 2017, 2:44pm

This may be a theoretical question, I am trying to configure my filebeat to send the logs to logstash. Here is the config:

My question is , can we use the fields created in the filebeat.yml to filter out in the Logstash config input section?

For ex: in the above config, i have defined source : tomcat_app , can i use the same field in the logstash input like below:

input {
file {
path => /prod/logs/chassis/tomcat/app*.log
source => tomcat_app
}

filter {

   if [source == tomcat_app]
      grok {

      {message => somegrokfilter}

       }

}

Output {

ES
}

So is the field SOURCE in filebeat.yml and logstash config file are same? Do the fields work this way?

magnusbaeck · August 3, 2017, 5:32pm

My question is , can we use the fields created in the filebeat.yml to filter out in the Logstash config input section?

Yes, of course.

if [source == tomcat_app]

shroh · August 3, 2017, 5:49pm

Thanks Magnus. Found the correct syntax.

system · August 31, 2017, 5:50pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Source file path transfer to Logstash Beats filebeat	8	2079	April 10, 2017
Parse source field Logstash	4	904	November 29, 2018
How to use filebeat fields name value in logstash config Beats filebeat	5	14738	May 2, 2017
Logstash Adding Filebeat Fields Logstash	6	494	October 29, 2018
How to configure conditional input-output from Filebeats Logstash	11	4949	September 4, 2018