Recommended way of telling Logstash type of logs

joshuaspence · January 11, 2018, 5:43am

In Filebeat 6 the document_type field was removed. However, all of the examples that I can find for parsing logs with Logstash rely on the type field being set (which was determined by the document_type setting on the Filebeat prospector. For example, [SOLVED] Filebeat to Logstash best practice show does this:

filter {
  if [type] == "nginx-access" {
    # ...
  }
}

Some other resources (such as Document_type deprecated?) suggest add a custom field to the fields configuration on the Filebeat prospector, but this seems a little bit incovenient because it means that either I have to use [fields][type] in my Logstash configuration (which is fine I guess, but [type] felt much cleaner) or I need to remember to set fields_under_root on all of the Filebeat prospectors.

steffens · January 11, 2018, 1:12pm

There is no direct replacement for document_type. With removal of document_type you have to use fields + fields_under_root or use tge tags settting. Using tags you condition in Logstash becomes:

filter {
  if "nginx-access" in [tags] {
  }
}

system · February 8, 2018, 1:12pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Now that support for type has been removed in filebeat 6, how to add filters in logstash config? Logstash	2	1673	December 28, 2017
Document_type is being ignored Beats filebeat	5	4493	December 28, 2017
How to filter data from Filebeats in Logstash Logstash	6	7123	July 6, 2017
Is document_type in filebeat same as type in logstash filter? Beats filebeat	3	2455	February 6, 2018
Is setting `document_type` on filebeat a bad idea? Should Logstash be grok'ing and setting it? Logstash	3	584	July 6, 2017

Recommended way of telling Logstash type of logs

Related topics