Setting a field on Input and Referencing on output

seth.yes · June 6, 2017, 10:32pm

I'm using the HTTP Logstash (5.4.0) input plugin to receive json input data. I'm having users send data to a different port depending on whether it's test, staging or production data. I then need to reference that field in the output in order to populate the correct index.

The issue currently is that while the field I create is added and populated correctly, my output filter appears to always jump to the 'else' catchall of the output.

input {
  http {
    port => 8080
    type => [ "maps-iei" ]
    add_field => { "raw_message" => "message" }
    add_field => { "iei-type" => "production" }
    id => "maps-iei-prod"
  }
}
input {
  http {
    port => 8081
    type => [ "maps-ic" ]
    add_field => { "raw_message" => "message" }
    add_field => { "iei-type" => "staging" }
    id => "maps-iei-staging"
  }
}
input {
  http {
    port => 8082
    type => [ "maps-test" ]
    add_field => { "raw_message" => "%{message}" }
    add_field => { "iei-type" => "test" }
    id => "maps-iei-test"
    response_headers => {
      "Access-Control-Allow-Origin" => "*"
      "Content-Type" => "application/json"
      "Access-Control-Allow-Headers" => "Origin, X-Requested-With, Content-Type, Accept"
    }
  }
}
output {
  if [iei_type] in ["production", "maps-iei-prod"] {
    elasticsearch {
      hosts => ["127.0.0.1:9200"]
      index => "maps-iei-%{+YYYY.MM.dd}"
      sniffing => "false"
    }
  }
  else if [iei_type] == "staging" {
    elasticsearch {
      hosts => ["127.0.0.1:9200"]
      index => "maps-ic-%{+YYYY.MM.dd}"
      sniffing => "false"
    }
  }
  else if [iei_type] == "test" {
    elasticsearch {
      hosts => ["127.0.0.1:9200"]
      index => "maps-ic-%{+YYYY.MM.dd}"
      sniffing => "false"
    }
  }
  else {
    elasticsearch {
      hosts => ["127.0.0.1:9200"]
      index => "maps-iei-%{+YYYY.MM.dd}"
      sniffing => "false"
    }
  }
}

Jaxon_Kochel · June 7, 2017, 8:24pm

I believe you have your if statements backwards, they should be reversed to something like

 if   ["production", "maps-iei-prod"] in [iei_type] {
    elasticsearch {
      hosts => ["127.0.0.1:9200"]
      index => "maps-iei-%{+YYYY.MM.dd}"
      sniffing => "false"
    }
  }
  else if "staging" in [iei_type] {
    elasticsearch {
      hosts => ["127.0.0.1:9200"]
      index => "maps-ic-%{+YYYY.MM.dd}"
      sniffing => "false"
    }
  }
  else if  "test" in [iei_type] {
    elasticsearch {
      hosts => ["127.0.0.1:9200"]
      index => "maps-ic-%{+YYYY.MM.dd}"
      sniffing => "false"
    }
  }
  else {
    elasticsearch {
      hosts => ["127.0.0.1:9200"]
      index => "maps-iei-%{+YYYY.MM.dd}"
      sniffing => "false"
    }

magnusbaeck · June 11, 2017, 8:10pm

There's nothing wrong with the order of the operands in the conditional but the field is spelled iei-type in add_field but iei_type in the conditionals.

seth.yes · June 12, 2017, 5:38pm

Good call, thanks @magnusbaeck

system · July 10, 2017, 5:38pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Having Issues With JSON Input Logstash	5	366	June 11, 2020
Clarification on if/else behavior in output Logstash	3	379	October 21, 2019
Issue with output plugin type elasticsearch in logstash Logstash	5	407	October 20, 2022
Accessing/comparing fields from two different input plugins in filter, simultaneously Logstash	11	1086	June 22, 2020
Output IF ELSE configuration error Logstash	8	35826	July 6, 2017

Setting a field on Input and Referencing on output

Related Topics