Recommended way of telling Logstash type of logs

joshuaspence · January 11, 2018, 5:43am

In Filebeat 6 the document_type field was removed. However, all of the examples that I can find for parsing logs with Logstash rely on the type field being set (which was determined by the document_type setting on the Filebeat prospector. For example, [SOLVED] Filebeat to Logstash best practice show does this:

filter {
  if [type] == "nginx-access" {
    # ...
  }
}

Some other resources (such as Document_type deprecated?) suggest add a custom field to the fields configuration on the Filebeat prospector, but this seems a little bit incovenient because it means that either I have to use [fields][type] in my Logstash configuration (which is fine I guess, but [type] felt much cleaner) or I need to remember to set fields_under_root on all of the Filebeat prospectors.

steffens · January 11, 2018, 1:12pm

There is no direct replacement for document_type. With removal of document_type you have to use fields + fields_under_root or use tge tags settting. Using tags you condition in Logstash becomes:

filter {
  if "nginx-access" in [tags] {
  }
}

system · February 8, 2018, 1:12pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Now that support for type has been removed in filebeat 6, how to add filters in logstash config? Logstash	2	1659	December 28, 2017
Is setting `document_type` on filebeat a bad idea? Should Logstash be grok'ing and setting it? Logstash	3	573	July 6, 2017
Document Type in version 6.1.0 Logstash	2	1496	February 3, 2018
Is document_type in filebeat same as type in logstash filter? Beats filebeat	3	2438	February 6, 2018
Detected a 6.x and above cluster: the `type` event field won't be used to determine the document _type {:es_version=>6} Logstash	3	16313	July 10, 2019

Recommended way of telling Logstash type of logs

Related topics