Select only one field to output

Finley · January 18, 2021, 4:40pm

Hello,

I'm trying to setup a logstash configuration. I want to forward the event.original field only on the udp output.

I have a filebeat input, and elasticsearch/udp output. I tried the "codec line" option with "format" but it does not consider the payload %{event.original} as a variable. Here is the configuration sample :

input {
  beats {
    port => 5044
    tags => ["serv1"]
  }

  output {
    if "serv1" in [tags] {
      elasticsearch {
        hosts => ["localhost:9200"]
        index => "serv1"
      }
      udp {
        host => ["192.168.1.1"]
        port => 514
          codec => line {
            format => "%{event.original}"
         }
     }
  }
}

NB : line codec is and format option is working with a syslog input.

Do you have any recommandations ?

system · February 15, 2021, 4:40pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash multiple output endpoints single event Logstash	2	746	April 12, 2017
Logstash Elasticsearch output - one field only Logstash	6	752	November 10, 2022
Using two input plugins ( beats and udp ) and output it to Elasticsearch Logstash	6	1952	August 4, 2017
Logstash syslog UDP output Logstash	1	573	November 5, 2019
Filebeat - accesing event data and fields in the configuration Beats filebeat	2	1078	November 5, 2018

Select only one field to output

Related topics