Question on Fields created in Filebeat and matched in Logstash Input

shroh · August 3, 2017, 2:44pm

This may be a theoretical question, I am trying to configure my filebeat to send the logs to logstash. Here is the config:

My question is , can we use the fields created in the filebeat.yml to filter out in the Logstash config input section?

For ex: in the above config, i have defined source : tomcat_app , can i use the same field in the logstash input like below:

input {
file {
path => /prod/logs/chassis/tomcat/app*.log
source => tomcat_app
}

filter {

   if [source == tomcat_app]
      grok {

      {message => somegrokfilter}

       }

}

Output {

ES
}

So is the field SOURCE in filebeat.yml and logstash config file are same? Do the fields work this way?

magnusbaeck · August 3, 2017, 5:32pm

My question is , can we use the fields created in the filebeat.yml to filter out in the Logstash config input section?

Yes, of course.

if [source == tomcat_app]

shroh · August 3, 2017, 5:49pm

Thanks Magnus. Found the correct syntax.

system · August 31, 2017, 5:50pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to use filebeat fields name value in logstash config Beats filebeat	5	14627	May 2, 2017
How to use custom fields from filebeat in logstash? Logstash	2	4692	October 14, 2018
Filebeat fields value unable to use it in logstash configuration file Logstash	9	570	February 7, 2021
Use filebeat added field for logstash conditions Logstash	3	324	August 20, 2019
How to configure conditional input-output from Filebeats Logstash	11	4776	September 4, 2018