Im having a bit of a problem and i cant seem to solve it so hopefully someone here can help 
I have multiple servers running various beats (filebeat, winlogbeat, metricbeat). These are all configured to ship to logstash. Filebeat is currently configured to ship the IIS log that is generated from the websites that reside on the servers
This is all working great and all of my metrics and events are coming in and available in Kibana as expected. The IIS logs are also coming in fine, however my grok filter isnt being applied so the details are all in a single message block rather than being split out. I have tested the grok setup and that is fine.
The problem is that i have an if statement saying that only type IIS should have the grok applied everything else should go through as normal. When i check the records under filebeat-* in kibana they are showing as type log, so not being picked up as IIS logs.
How do i specify that these are IIS logs and ensure that the type is set correctly? Or is there another way of specifying which are IIS logs to be filtered and what is everything else?
Thank you so much, this will help me get my implementation off the ground!
