So..what do I use with 2.0 now that "type" is gone?

DigiAngel · November 12, 2015, 6:25pm

I use type for both input and filter:

input {
        udp {
                type => "Snort"
                port => 5514
        }
}

and:

if [type] == "Snort" {
                grok {
                        match => [ lot's of stuff here ]
     }
}

Now what do I do? What other options do I have?

theuntergeek · November 12, 2015, 6:41pm

The type field still works in the input block. You just can't use it in place of conditionals now (old 1.0 - 1.2 behavior).

Old behavior (DO NOT USE):

filter {
  grok {
    match => [ lot's of stuff here ]
    type => "Snort"
  }
}

What you have with your conditional is the correct way to use type.

DigiAngel · November 12, 2015, 6:49pm

Two questions: Why type type included for INPUT when you can't use it anywhere else? And, how do I do a conditional now, if I can't specify type? How do I tell

input {
        udp {
                type => "Snort"
                port => 5514
        }
        udp {
                type => "Conn"
                port => 6514
        }
        udp {
                type => "Syslog"
                port => 7514
        }
        udp {
                type => "Logon"
                port => 7515
        }

}

the above match with:

filter {

        if [type] == "Snort" {
                grok {
                        match => [ stuff ]
                }
        }

        if [type] == "Conn" {
                grok {
                        several match => [ stuff ]

                }
        }

        if [type] == "Syslog" {
                grok {
                        several match lines match => [ stuff ]

                }
        }

        if [type] == "Logon" {
                grok {
                        match => [ stuff ]

                }
        }
}

How do match a specific input, to a specific filter now? Thank you.

theuntergeek · November 12, 2015, 7:08pm

You can use type as a regular field. You just can't use type => "value" in place of conditionals. Logstash still uses type to set the Elasticsearch document _type on output.

Again, you can use type. The examples you've provided are completely valid and usable.

DigiAngel · November 12, 2015, 7:17pm

Ah...I see now (I think)...from the Breaking Changes:

The following deprecated configuration settings are removed in this release:
input plugin configuration settings: debug, format, charset, message_format

output plugin configuration settings: type, tags, exclude_tags.

filter plugin configuration settings: type, tags, exclude_tags.

that had me confused.....ok thanks for clearing that up...I'm feeling better every minute with my pending upgrade