Use filebeat added field for logstash conditions

Hello.

I'm having a problem understanding how exactly I am supposed to write the conditions in logstash with regards to fields I added to filebeat.
Here is my filebeat inputs

filebeat.inputs:
- type: log
  enabled: true
  paths:
    - C:\inetpub\logs\LogFiles\*\*.log
  fields:
  iis: true

- type: log
  enabled: true
  paths:
    - C:\inetpub\logs\test\*.log
  fields:
    test: true

So what I am trying to do is to put each log in the correct index depending on the existing field iis or test.
My first pipeline currently looks like this:

#INPUT#
input {
  beats {
    port => 5044
    ssl => false
  }
}

#OUTPUT#
output {
  if [source] == "/var/log/messages" {
    pipeline { send_to => syslog }
  }
  elseif [source] == "/var/log/firewalld" {
    pipeline { send_to => firewalld }
  }
  elseif [type] == "wineventlog" {
    pipeline {send_to => winlog }
  }
  elseif [iis] {
    pipeline { send_to => iis }
  }
  elseif [test] {
    pipeline { send_to => test }
  }
}

The problem can only come from this pipeline I tried with no condition and everything goes into an index with the fields.test or fields.iis field as expected.
I tried to write [type] and [iis] as [fields][type] and [field][iis] but it doesn't work either.

I would expect testing [fields][type] or [fields][iis] to work.

And it does, the problem was from somewhere else but I must have solved it without realising it.

Thank you very much.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.