mhare
October 11, 2019, 6:55pm
1
I am ingesting 8 different CSV file schemas using 8 logstash pipelines and reading from a Windows file share. IT has been recommending to not read across the file share but use Filebeat.
--------------------------------------------------------------
MemoryLeak Input
type: log
C:\MemoryLeakTest\v03*-memleak*.log
--------------------------------------------------------------
AM-300 TaskStat Input
type: log
C:\MemoryLeakTest\v03*_am-300-taskstat*.log
The output is:
The Logstash hosts
hosts: [":5044"]
Now, how the heck do I get this to work with my 8 pipeline files?
I put this at the top of one of the pipeline files:
input {
My question is, does this look right so far?
Thanks, Mike
rugenl
October 11, 2019, 7:53pm
2
You could use pipeline to pipeline communication
You would be using a "distributor". The if logic in the output section could reference the [fields][log_type] value you have set in filebeat.
mhare
October 22, 2019, 6:03pm
3
OK, the Distributor pattern looks like what I need.
output {
if [type] == apache {
pipeline { send_to => weblogs }
} else if [type] == system {
pipeline { send_to => syslog }
} else {
pipeline { send_to => fallback }
}
I am assuming I need to set [type] in my pipeline. My question now is, how?
tags: ["memleak"]
fields: {log_type: memleak}
I am guessing 'tag' is not needed and I can use a decision point as:
if [log_type] == memleak {
(do pipeline connection stuff here)
}
Nope.. didn't work. the 'fields' in my filbeat.yml is invalid.
I think I'm getting close, still don't understand how to set the [type] value to an arbitrary value
For filebeat.yml, I have:
- type: log
enabled: true
paths:
- C:\Users\xyzzy\CommonLogs\*-memleak*.log
fields:
"log_type": "memleak"
My decision point in pipelines.yml is:
- pipeline.id: beats-server
config.string: |
input { beats { port => 5044 } }
output {
if ["log_type"] == "memleak" {
pipeline { send_to => memleakpl }
}
}
If I remove the decision point and just call the 'send_to' it works. So i'm just trying to get the 'if' statement to work
mhare
October 23, 2019, 2:56pm
4
From what I have read, in my filebeat yaml I can either:
tags: ["memleak"]
fields:
log_type: "memleak"
In my pipelines yaml I need to evaluate one of these and make a decision
output {
if <something good goes here> {
pipeline { send_to => memleakpl }
}
}
I cannot find how to link either a tag or a field to the part of the conditional
rugenl
October 23, 2019, 3:01pm
5
Logstash syntax is:
If [fields][log_type] == "memleak" {
do something
}
I think you are close
mhare
October 23, 2019, 4:21pm
6
I will give that a try.
- type: log
enabled: true
tags: ["memleak"]
paths:
- C:\Users\xyzzy\CommonLogs\*-memleak*.log
- type: log
enabled: true
tags: ["rmc3_taskstat"]
paths:
- C:\Users\xyzzy\CommonLogs\*_rmc3-taskstat*.log
and in pipelines.yml:
- pipeline.id: beats-server
config.string: |
input { beats { port => 5044 } }
output {
if "memleak" in [tags] {
pipeline { send_to => memleakpl }
} else if "rmc3_taskstat" in [tags] {
pipeline { send_to => rmc3_taskstatpl }
}
}
Which seems to be working.
mhare
October 23, 2019, 5:02pm
7
Len, your solution also works.
rugenl
October 24, 2019, 4:14pm
8
Fields vs tags? I'd say whichever is understandable, logical and maintainable in your environment. I doubt there is a measurable performance difference.
I guess the old coding technique of putting the most frequent if condition first would apply either way.
