I use type for both input and filter:
input {
udp {
type => "Snort"
port => 5514
}
}
and:
if [type] == "Snort" {
grok {
match => [ lot's of stuff here ]
}
}
Now what do I do? What other options do I have?
The type field still works in the input block. You just can't use it in place of conditionals now (old 1.0 - 1.2 behavior).
Old behavior (DO NOT USE):
filter {
grok {
match => [ lot's of stuff here ]
type => "Snort"
}
}
What you have with your conditional is the correct way to use type.
Two questions: Why type type included for INPUT when you can't use it anywhere else? And, how do I do a conditional now, if I can't specify type? How do I tell
input {
udp {
type => "Snort"
port => 5514
}
udp {
type => "Conn"
port => 6514
}
udp {
type => "Syslog"
port => 7514
}
udp {
type => "Logon"
port => 7515
}
}
the above match with:
filter {
if [type] == "Snort" {
grok {
match => [ stuff ]
}
}
if [type] == "Conn" {
grok {
several match => [ stuff ]
}
}
if [type] == "Syslog" {
grok {
several match lines match => [ stuff ]
}
}
if [type] == "Logon" {
grok {
match => [ stuff ]
}
}
}
How do match a specific input, to a specific filter now? Thank you.
You can use type as a regular field. You just can't use type => "value" in place of conditionals. Logstash still uses type to set the Elasticsearch document _type on output.
Again, you can use type. The examples you've provided are completely valid and usable.
Ah...I see now (I think)...from the Breaking Changes:
The following deprecated configuration settings are removed in this release:
input plugin configuration settings: debug, format, charset, message_format
output plugin configuration settings: type, tags, exclude_tags.
filter plugin configuration settings: type, tags, exclude_tags.
that had me confused.....ok thanks for clearing that up...I'm feeling better every minute with my pending upgrade 