Send multiple fields with the syslog output

victor.nilsson · July 2, 2019, 9:15am

Hi,

We need to send two fields from a document to a remote TCP destination.
We tried to use the syslog output plugin and have not managed to solve this. We can succesfully send one field by configuring the output like this:

syslog  {
     host => "1.1.1.1"
     port => "1514"
     message => "%{full_log}"
}

However, what we're trying to achieve is to send the full_log field + another field called "agent.hostname". Something like this:

syslog  {
     host => "1.1.1.1"
     port => "1514"
     message => "%{full_log} + %{agent.hostname}"
}

How can we configure the output to send the contents of two fields? Or is it better to use the TCP output plugin? Can we send the whole document with that?

EDIT: It seems that we're also having issues sending fields with dots in them (.), like "agent.hostname". How could we solve this in an efficient manner?

Badger · July 2, 2019, 12:49pm

Are you sure the field has a dot in the name? It is possible that there is a field called agent.hostname, however, it is also possible that the agent object contains a field called hostname, in which case, in logstash, a sprintf reference would have to be %{[agent][hostname]}

system · July 30, 2019, 12:49pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.