What's wrong with my mutate filter?

Elastic Stack Logstash
1

Hi there, first time requiring help here :wink:

In order to filter some different inputs (actually same filebeat input, but multiple beats/formats are sent),
I achieved to get this following logstash pipeline:

input {
    beats {
        port => "5044"
    }
}

filter {
  if [@metadata][beat] == "apm" {
    if [processor][event] == "sourcemap" {
      mutate {
        add_field => { "[@metadata][index]" => "%{[@metadata][beat]}-%{[@metadata][version]}-%{[processor][event]}" }
      }
    } else {
      mutate {
        add_field => { "[@metadata][index]" => "%{[@metadata][beat]}-%{[@metadata][version]}-%{[processor][event]}-%{+yyyy.MM.dd}" }
      }
    }
  }

  if [@metadata][beat] == "filebeat" {
    mutate {
      add_field => { "[@metadata][index]" => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+yyyy.MM.dd}" }
    }

    if [path] == "/var/log/wblog" {
      dissect { mapping => { "message" => "%{timestamp1->} %{+timestamp1} %{+timestamp1} %{Theatre} %{Product} %{Severity} %{Body}"
        "Body" => "%{1} %{2} %{3} %{4} %{5} %{6} %{7}" }
      }

      kv { source => "Body" }
    }
 }
}

output {
  elasticsearch {
    hosts => ["http://localhost:9200"]
    index => "${[@metadata][index]}"
  }
}

The problem is that I only get one index in ES, named ${[@metadata][index]}
I followed the exemple of the documentation on logstash output for apm-server https://www.elastic.co/guide/en/apm/server/master/logstash-output.html

I have no error on APM-Server side, nor Filebeat nor Logstash. I have no clue on what happens, could you please help me ?

I'm fairly new to ELK, maybe it's a rookie error :sweat_smile:

Thx

2

Instead of

${[@metadata][index]}

you probably should be using

%{[@metadata][index]}
3

Gosh, that's right !

Stupid typo, Thanks Badger :hugs:

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.