Using conditionals to decide which logs to filter

sarahvo · September 5, 2019, 6:11pm

Hi, I'm using the beat utilities to ship logs to Logstash. I only want to parse the logs using the grok filter when it's coming from filebeat, but I can't seem to get it to work. The parsing works the way I want it to, but when I add the conditional, it doesn't go through.

Here's what my filter section looks like:

filter {
  if [input.type] == "log" {
    grok {
      match => { "message" => "%{TIMESTAMP_ISO8601:ltm.timestamp}\s%{SYSLOGHOST:ltm.name}\s%{LOGLEVEL:log.level}\s%{PROG:program}(?:\[%{POSINT:pid}\])?:\s%{GREEDYDATA:ltm.message}" }
    }
    date {
      match => [ "time", "ISO8601" ]
    }
  }	
}

Any insight on how to use the conditional correctly would be greatly appreciated! Thanks!

Badger · September 5, 2019, 6:13pm

[input.type] refers to a field with a period in the name. You probably want the type field within the input object, which would be [input][type]

sarahvo · September 5, 2019, 6:17pm

Works now! Thanks!

system · October 3, 2019, 6:17pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Conditional filtering not working in logstash Logstash	13	5505	March 6, 2019
Can't make conditionnal filtering to work Logstash	7	1366	December 5, 2016
Logstash filter based on beat.name - not type possible? Logstash	4	2120	March 7, 2018
NEW to ELK: using conditionals in filter Logstash	7	1052	October 7, 2019
Filter based on input (Filebeat/Winlogbeat) in logstash Logstash	3	1039	September 4, 2019

Using conditionals to decide which logs to filter

Related topics