Recommended way of telling Logstash type of logs

joshuaspence · January 11, 2018, 5:43am

In Filebeat 6 the document_type field was removed. However, all of the examples that I can find for parsing logs with Logstash rely on the type field being set (which was determined by the document_type setting on the Filebeat prospector. For example, [SOLVED] Filebeat to Logstash best practice show does this:

filter {
  if [type] == "nginx-access" {
    # ...
  }
}

Some other resources (such as Document_type deprecated?) suggest add a custom field to the fields configuration on the Filebeat prospector, but this seems a little bit incovenient because it means that either I have to use [fields][type] in my Logstash configuration (which is fine I guess, but [type] felt much cleaner) or I need to remember to set fields_under_root on all of the Filebeat prospectors.

steffens · January 11, 2018, 1:12pm

There is no direct replacement for document_type. With removal of document_type you have to use fields + fields_under_root or use tge tags settting. Using tags you condition in Logstash becomes:

filter {
  if "nginx-access" in [tags] {
  }
}

system · February 8, 2018, 1:12pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Document Type in version 6.1.0 Logstash	2	1496	February 3, 2018
Detected a 6.x and above cluster: the `type` event field won't be used to determine the document _type {:es_version=>6} Logstash	3	16250	July 10, 2019
Problems migrating from filebeat 5 to 7 - not gettings the data/fields we need in logstash Beats filebeat	3	259	September 14, 2023
Document_type deprecated? Beats filebeat	8	17904	September 8, 2017
Document_type is being ignored Beats filebeat	5	4452	December 28, 2017

Recommended way of telling Logstash type of logs

Related Topics