Using conditionals to decide which logs to filter

sarahvo · September 5, 2019, 6:11pm

Hi, I'm using the beat utilities to ship logs to Logstash. I only want to parse the logs using the grok filter when it's coming from filebeat, but I can't seem to get it to work. The parsing works the way I want it to, but when I add the conditional, it doesn't go through.

Here's what my filter section looks like:

filter {
  if [input.type] == "log" {
    grok {
      match => { "message" => "%{TIMESTAMP_ISO8601:ltm.timestamp}\s%{SYSLOGHOST:ltm.name}\s%{LOGLEVEL:log.level}\s%{PROG:program}(?:\[%{POSINT:pid}\])?:\s%{GREEDYDATA:ltm.message}" }
    }
    date {
      match => [ "time", "ISO8601" ]
    }
  }	
}

Any insight on how to use the conditional correctly would be greatly appreciated! Thanks!

Badger · September 5, 2019, 6:13pm

[input.type] refers to a field with a period in the name. You probably want the type field within the input object, which would be [input][type]

sarahvo · September 5, 2019, 6:17pm

Works now! Thanks!

system · October 3, 2019, 6:17pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Conditional filtering not working in logstash Logstash	13	5502	March 6, 2019
NEW to ELK: using conditionals in filter Logstash	7	1049	October 7, 2019
Filter based on input (Filebeat/Winlogbeat) in logstash Logstash	3	1038	September 4, 2019
Conditional being ignored for grok match Logstash	3	1075	July 6, 2017
Grok filter on logstash Logstash	5	438	March 30, 2020

Using conditionals to decide which logs to filter

Related Topics