Read Optional fields

millerb1 · March 6, 2018, 8:17pm

We have installed File-Beats on multiple servers to harvest JBoss logs and save through the same Log-Stash pipeline into Elastic-Search. We have set the optional fields in File-Beats config and want to save the Channel and Node into their own Elastic-Search field.

File-Beats config line 95 - 98:

Optional fields that you can specify to add additional information to the

output.

#fields:
channel: QA
node: 1

Log-Stash config
filter {
grok {
match => [
"message",
"%{CHANNEL:channel} %{NODE:node} %{TIME:time} %{LOGLEVEL:level} [(?[^]]+)] ((?[^)]+)) %{GREEDYDATA:message}"
]
overwrite => ["message"]
}
}

magnusbaeck · March 7, 2018, 10:46am

Don't comment the fields: line.
It doesn't seem to make sense to both save the fields via the Filebeat configuration and extract the same fields in the grok filter. Pick one method of obtaining those field values.

Topic		Replies	Views
Filebeat lotstash output and 'exported fields' Beats filebeat	4	1851	March 16, 2018
Re: Filebeat > Kafka > Logstash > ElasticSearch Logstash	5	1983	September 26, 2017
Create new Fields to Filter by Beats filebeat	3	416	September 10, 2019
Missing fields Filebeat -> Logstash -> Elasticsearch Logstash	3	1689	October 27, 2017
Logstash not saving additional fields Logstash	7	445	August 20, 2020

Read Optional fields

Optional fields that you can specify to add additional information to the

output.

Related topics