Hi, I'm using the beat utilities to ship logs to Logstash. I only want to parse the logs using the grok filter when it's coming from filebeat, but I can't seem to get it to work. The parsing works the way I want it to, but when I add the conditional, it doesn't go through.
Here's what my filter section looks like:
filter {
if [input.type] == "log" {
grok {
match => { "message" => "%{TIMESTAMP_ISO8601:ltm.timestamp}\s%{SYSLOGHOST:ltm.name}\s%{LOGLEVEL:log.level}\s%{PROG:program}(?:\[%{POSINT:pid}\])?:\s%{GREEDYDATA:ltm.message}" }
}
date {
match => [ "time", "ISO8601" ]
}
}
}
Any insight on how to use the conditional correctly would be greatly appreciated! Thanks!