I have 3 servers:
On the web server, I have filebeat and metricbeat running. I want the apache logs being sent by filebeat to be grok'd, but not the metricbeat system logs.
On my logstash server I have a file in /etc/logstash/conf.d/ called "apache-filter.conf" here is what the file looked like when it worked:
filter {
grok {
match => { "message" => "%{COMBINEDAPACHELOG}"}
}
grok {
match => { "message" => "%{IP:client}"}
}
geoip {
source => "client"
}
}
Then I added a conditional and it broke (data is passed to elasticsearch raw with no filters applied):
filter {
if [filebeat] in [_index] {
grok {
match => { "message" => "%{COMBINEDAPACHELOG}"}
}
grok {
match => { "message" => "%{IP:client}"}
}
geoip {
source => "client"
}
}
}
What am I doing wrong?
Here's an example "_index" field from the Discover tab in Kibana:
_index filebeat-2018.04.06
The in operator does an exact match on a list of strings. You need to pattern match:
if ([_index] =~ /filebeat/) {
// filters here
}