Reading beats fields from Kafka input

Rober · February 23, 2017, 11:43am

Hi,
in my infrastructure I have something like:
Filebeat -> Kafka -> Logstash -> Elasticsearch

I'm having problems reading the custom fields set up in Filebeat when filtering in Logstash.

I configured the kafka input in Logstash, I'd like to be able to read content of "my_custom_field", but I'm unable to...

{
	"message" : {
		"@timestamp":"2017-02-22T17:13:22.346Z",
		"beat":{
			"hostname":"host-01",
			"name":"name-01",
			"version":"5.2.1"},
			"fields":{
				"my_custom_field":"XXXXX"
			},
		"input_type":"log",
		"message":"....................",
		"offset":6894303,
		"source":"...",
		"type":"log"
	}
}

How can I access this field in order to create my index name (output) using it?

magnusbaeck · February 27, 2017, 6:41am

I'm confused as to why all fields are nested under message, but if this indeed is what your event looks like you can access my_custom_field with [message][beat][fields][my_custom_field].

https://www.elastic.co/guide/en/logstash/current/event-dependent-configuration.html#logstash-config-field-references

Rober · February 27, 2017, 11:57am

Thanks!
Actually, what I'm doing now to get this field is:

json {
	source => "message"
	target => "beat_details"
}	
mutate { 
	add_field => { "type" => "%{[beat_details][fields][my_custom_field]}" } 	
}

Then I can use this "type" in my filters.

Topic		Replies	Views
Logstash Adding Filebeat Fields Logstash	6	508	October 29, 2018
Can I only reserve fields parsed from log when output? Beats filebeat	1	324	September 20, 2019
Kafka input kibana message one field Logstash	3	340	March 3, 2022
Logstash not able to access the custom field from Filebeat Logstash	2	2026	June 27, 2017
Input from kafka to logstash Logstash	5	368	July 11, 2019

Reading beats fields from Kafka input

Related topics