Require support for conditional statement within beats input section

vinod8427 · December 15, 2015, 3:17pm

I have a use case wherein I am running 2 different prospectors for 2 different file types and shipping the log events to logstash. Now in my logstash while I receive events from both file types, I would however want for one particular event type to be using multiline codec else ignore for other event types. Currently there is no conditional support as such for this. See below for my expectation:

input {
beats {
port => "5033"
if[type] == "trc" {
codec => multiline {
negate => "true"
pattern => "(.MAJOR)"
what => "previous"
}
}
}
}

Is there a way I can achieve this? I also tried the following in my logstash config which seems very very legit but it just doesn't allow me to do it

input {
if[type] == "trc" {
beats {
port => "5044"
codec => multiline {
negate => "true"
pattern => "(.MAJOR)"
what => "previous"
}
}
}
else {
beats { port => "5044" }
}
}

For the above config I keep getting port already in use error. One possible way to get around this use case is to run another filebeat instance shipping those events alone on a different port. But I do not wish to do that. Could you please suggest if there is a way which I am unaware of to get around this use case? Else would this be considered as a requirement ?

rclarke · December 15, 2015, 4:06pm

Hello Vinod,

You will have to place this conditional in your filter section, and e.g. use a regex to identify the documents you want to drop and drop them with the drop filter.
Conditionals cannot be placed in the input section (and logically this will never be possible).

Another thought you might like to try would be to have two beats inputs each with a unique port, and in your filebeat agents send to the correct port knowing if the source is multiline or not.

Cheers,
-Robin-

vinod8427 · December 16, 2015, 10:05am

Hi Robin,

Since my requirement is to use a multiline codec/filter, it wouldn't be possible for me to push the conditional statements into filter sections for two reasons:

With multiline filter used, worker threads cannot be set to 2 or more
I also use a uuid plugin. With multiline being used in filter section, it generates and returns me an array of uuid's instead of one. This is not acceptable for my application.

Guess as a last resort I need to run a dedicated filebeat instance shipping events to logstash indexer on a dedicated port for which I require multiline support.

steffens · December 16, 2015, 4:51pm

@vinod8427 you can follow progress on multiline support on github.

Haven't used these to filter plugins myself yet, but can you apply the uuid plugin after multiline (maybe combined with conditional) to generate only one uuid or use the mutate filter to select only one uuid from this array?

marcziss · January 6, 2017, 3:06am

Hi Vinod,
Was looking for an answer to that myself and wound up using filebeats multi-line support to agggregate the lines before shipping ( a stack trace in my case) and then do the groking and mutating based of a conditional filter in logstash itself. I know this is an old item, but maybe it will help someone going through the same frustration.
Marc

Topic		Replies	Views
Multiline codec in if else condition in beat input of logstash Logstash	8	2523	January 15, 2018
Multiple Beats Input (filebeat, topbeat) Logstash	3	4413	July 6, 2017
How to take beats inputs in multiple codecs in logstash Logstash	8	4013	July 6, 2017
Adding more logs to filebeat to export and on elk server to logstash to receive Logstash	7	384	July 6, 2017
Filebeat conditional output logstash Beats filebeat	4	4496	May 21, 2018

Require support for conditional statement within beats input section

Related topics