Hello,
I have a configuration like this :
Logs -> Logstash Broker -> Kafka -> Logstash Indexer -> Elasticsearch
In the borker, I add a tag "waf" to identify the log source.
In the indexer, I use this condition in the filters :
if "waf" in [tags] {
mutate {
add_tag => [ "if" ]
}
else {
mutate {
add_tag => [ "else" ]
}
In Kibana, I can see the tag "waf" but the indexer doesn't seem to see it, because the tag "else" is added (not the tag"if").
Thanks for any help.
Max
Ok I found the solution : I need to add the json filter before the condition.
json { source => "message" }
if "waf" in [tags] {
mutate {
add_tag => [ "if" ]
}
else {
mutate {
add_tag => [ "else" ]
}This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.