Is it possible to use wildcarded filenames in the filter plugin section of logstash? For example, I want to index Apache access logs for some of our webapps and since the apache access logs have the date as part of the active filename (localhost_access_log..txt, I am trying to use wildcards. I create index-names based on the source of the log, so in my filter section I have many source entries like:
This works for all of my sources except the apache access logs with the wildcard.
if [source] == "/path/to/apache/logs/localhost_access_log*.txt" {
mutate {
add_field => { 'app_type' => 'some_app_type' }
}
}
This filter doesnt seem to hit and the Access logs go into a default catchall index. In Kibana I can view the index and the log file entries just fine, even with the source showing up correctly as '/path/to/apache/logs/localhost_access_log..txt
Ok, maybe I was wrong. Doesnt seem to be working. Is if [source] == "/path/to/apache/logs/localhost_access_log.%{YYYY-MM-dd}.txt" the correct syntax for a regex?
if [source] =~ "/path/to/apache/logs/localhost_access_log.*\.txt$" {
but the best option is to add the desired fields and/or tags at the one place where all of this is known, namely in the input section. You have one input per log type anyway, right?
We are using filebeats for the input so I just have that one input:
Well, set the field and/or tags on the Filebeat side then. Same thing. The Logstash configuration shouldn't have an exact dependency to the file paths in the Filebeat configuration.
Up til now, every single log from beats has a configuration in the filter section in order to apply grok filters and such. I'm sure this is not optimal as the current pipeline is growing large
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.