Variable on Logstash

Hello everyone!

I'm creating a Centralized Logs with Filebeat, Logstash, and Elasticsearch. My Beat and Elasticsearch work well.
I'm getting a problem in my logstash on output.

logstash.conf

input {
hits
port => 5044
}
}
filter {
if [type] == "t13_oms_log" {
grok {
patterns_dir => "./patterns"
match => ["message", "% {GREEDYDATA: message}"]
overwrite => ["message"]
}
}
}
filter {
if [type] == "t13_crm_log" {
grok {
patterns_dir => "./patterns"
match => ["message", "% {GREEDYDATA: message}"]
overwrite => ["message"]
}
}
}
output {
stdout {codec => rubydebug}
elasticsearch {
hosts => ["10.28.158.2:9200"]
index => "% {type} _indexer"
}
}

When logstash sends data to the elasticsearch, it sends it to:
green open% {type} _indexer QSvQEmSNTAmIGeJIyFI_dA 5 1 3617 0 1.7mb 460b

Logstash can not resolve variable '% {type}'

I tried use an if on output, but, not work. I need a static index name
What can be this?

It looks like you have a superfluous spaces in your index pattern, which is causing the string replacement engine to not see the variable in the template:

• Instead of: index => "% {type} _indexer",
• please try: index => "%{type}_indexer"

At second-glance, the superfluous spaces around your GROK patterns are going to cause similar problems, and will result in the events not matching the patterns.

I also can't really tell what you're attempting to do with your GROK plugin configurations; the following, if specified correctly without extra spaces in the pattern template, would essentially say:

• load all of the patterns in the specified directory (and then don't use any of them)
• match the contents of the message field, capturing everything into a single resulting field that we will call message, overwriting the contents of message with an identical copy of itself.

grok {
  patterns_dir => "./patterns"
  match => ["message", "%{GREEDYDATA: message}"]
  overwrite => ["message"]
}

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.