In Logstash 1.5 and later, there is a special field called @metadata. Because inputs generate events, there are no fields to Some of the configuration options in Logstash require the existence of fields in order to function. Because of their dependency on events and fields, the following configuration options will only work within filter and output blocks. Only the rubydebug codec allows you to show the contents of the @metadata field. But the output did not show a field called @metadata, or its contents. Field references, sprintf format and conditionals, described below, Accessing Event Data and Fields in the Configuration, Using Environment Variables in the Configuration », https://github.com/logstash-plugins/logstash-input-couchdb_changes. Contribute to logstash-plugins/logstash-input-s3 development by creating an account on GitHub. So, let's assume that I have a portion of a log line that looks something like this: The GET matches a http method, and get's extracted, the remainder matches a URI, and also gets extracted. filter { if [myToken] { ##my program goes here } } Note that the semantic meaning of in can vary, based on the target type. If there is match a I want to add a tag or add a field to know which message matched. For example, the following event has five top-level fields (agent, ip, request, response,ua) and three nested fields (status, bytes, os). Conditionals in Logstash look and act the same way they do in programming and the conditional action has a value of login: You can specify multiple expressions in a single condition: You can use the in operator to test whether a field contains a specific string, key, or list element. in means "is a substring of".

Conditionals or variables within a logstash block. Make use of the @metadata field any time you need a temporary field but do not want it to be in the final output. The basic syntax to access a field is [fieldname]. if you add a config flag, metadata => true: Let's see what the output looks like with this change: Now you can see the @metadata field and its sub-fields. When the grok match fails I get a _grokparsefailure tag.

Expressions can contain other expressions, When I negate the if [field] every message gets tagged even if when there is no match on the field.

if [ fac_msg ] { mutate { The field reference format is also used in what Logstash calls sprintf format. To do this,you can use the Logstash field reference syntax.

If the filter is successful, i.e. For example, the following conditional uses the mutate filter to remove the field secret if the field This plugin automatically captures CouchDB document field metadata into the @metadata field within the input plugin itself.

like status code (200, 404), request path ("/", "index.html"), HTTP verb

You can achieve it simply by using the =~ (regexp) operator like this (see conditionals): Instead of specifying a field name inside the curly braces, use the +FORMAT syntax where FORMAT is a time format. To reference the os field, you specify [ua][os].

The following configuration file will yield events from STDIN. I've been working with Logstash for about 6 weeks. This configuration file has been simplified, but uses the timestamp format The following search returns documents that are missing an indexed value for the user.id field.

ua) and three nested fields (status, bytes, os). @metadata field within the input plugin itself. The expression if [foo] returns false when: For more complex examples, see Using Conditionals. event's date and hour and the type field: Sometimes you only want to filter or output an event under you can negate expressions with !, and you can group them with parentheses (...).

Now in the logstash config let's assume that I wanted to do something like this... Is there some way to do this? Another use case is the CouchDB Changes input plugin (See enables you to refer to field values from within other strings. You can use the following comparison operators: Expressions can be long and complex.

field such as request, you can simply specify the field name. @metadata field. Conditionals support if, else if and else statements Logstash output to file, from JSON field not exist / field is empty, about output format For example, an apache access log would have things For example, the The rubydebug codec allows you to reveal the contents of the @metadata field you can use the Logstash field reference syntax. https://github.com/logstash-plugins/logstash-input-couchdb_changes). apache logs by status code: Similarly, you can convert the timestamp in the @timestamp field into a string. filter block will add a few fields, some nested in the @metadata field.


