Setting a field on Input and Referencing on output

Elastic Stack Logstash
1

I'm using the HTTP Logstash (5.4.0) input plugin to receive json input data. I'm having users send data to a different port depending on whether it's test, staging or production data. I then need to reference that field in the output in order to populate the correct index.

The issue currently is that while the field I create is added and populated correctly, my output filter appears to always jump to the 'else' catchall of the output.

input {
  http {
    port => 8080
    type => [ "maps-iei" ]
    add_field => { "raw_message" => "message" }
    add_field => { "iei-type" => "production" }
    id => "maps-iei-prod"
  }
}
input {
  http {
    port => 8081
    type => [ "maps-ic" ]
    add_field => { "raw_message" => "message" }
    add_field => { "iei-type" => "staging" }
    id => "maps-iei-staging"
  }
}
input {
  http {
    port => 8082
    type => [ "maps-test" ]
    add_field => { "raw_message" => "%{message}" }
    add_field => { "iei-type" => "test" }
    id => "maps-iei-test"
    response_headers => {
      "Access-Control-Allow-Origin" => "*"
      "Content-Type" => "application/json"
      "Access-Control-Allow-Headers" => "Origin, X-Requested-With, Content-Type, Accept"
    }
  }
}
output {
  if [iei_type] in ["production", "maps-iei-prod"] {
    elasticsearch {
      hosts => ["127.0.0.1:9200"]
      index => "maps-iei-%{+YYYY.MM.dd}"
      sniffing => "false"
    }
  }
  else if [iei_type] == "staging" {
    elasticsearch {
      hosts => ["127.0.0.1:9200"]
      index => "maps-ic-%{+YYYY.MM.dd}"
      sniffing => "false"
    }
  }
  else if [iei_type] == "test" {
    elasticsearch {
      hosts => ["127.0.0.1:9200"]
      index => "maps-ic-%{+YYYY.MM.dd}"
      sniffing => "false"
    }
  }
  else {
    elasticsearch {
      hosts => ["127.0.0.1:9200"]
      index => "maps-iei-%{+YYYY.MM.dd}"
      sniffing => "false"
    }
  }
}
2

I believe you have your if statements backwards, they should be reversed to something like

 if   ["production", "maps-iei-prod"] in [iei_type] {
    elasticsearch {
      hosts => ["127.0.0.1:9200"]
      index => "maps-iei-%{+YYYY.MM.dd}"
      sniffing => "false"
    }
  }
  else if "staging" in [iei_type] {
    elasticsearch {
      hosts => ["127.0.0.1:9200"]
      index => "maps-ic-%{+YYYY.MM.dd}"
      sniffing => "false"
    }
  }
  else if  "test" in [iei_type] {
    elasticsearch {
      hosts => ["127.0.0.1:9200"]
      index => "maps-ic-%{+YYYY.MM.dd}"
      sniffing => "false"
    }
  }
  else {
    elasticsearch {
      hosts => ["127.0.0.1:9200"]
      index => "maps-iei-%{+YYYY.MM.dd}"
      sniffing => "false"
    }
3

There's nothing wrong with the order of the operands in the conditional but the field is spelled iei-type in add_field but iei_type in the conditionals.

1 Like
4

Good call, thanks @magnusbaeck

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.