Logstash remove type and keep _type

Question

Logstash remove type and keep _type

I have a logstash client and server.
The client sends log files with the output of udp logstash to the server, and the server also runs logstash to get these logs. On the server, I have a json filter that pulls the json formatted message into the fields of the actual log so that elasticsearch can index them.

Here is my code from the server:

input{
  udp{}
}

filter{
  json {
    source => "message"
  }
}

output{
  elasticsearch{
  }
}

And from the client:

input{
  file{
    type => "apache-access"
    path => "/var/log/apache2/access.log"
  }
}

output{
  udp{
    host => "192.168.0.3"
  }
}

This code works great except for one thing:
In some way I get the field type

twice, once like type

and once like _type

, they have the same content.

I tried to remove a field type

using mutate

-filter like this:

mutate{
  remove_field => [ "type" ]
}

but this filter removes both fields type

. (the field is _type

set to default: logs)

How do I save a field _type

and delete a field type

?

+3

json elasticsearch logstash

Klaus Jul 20. '15 at 9:15

source to share

1 answer

Carson · Answer 1 · 2017-06-23T05:35:31+0000

It works for me this way:

input { 
    file {
        add_field => { "[@metadata][type]" => "apache-access" }
        path => "/var/log/apache2/access.log"
    }
}

filter {
    ......
    if [@metadata][type] == "xxx" {

    }
    ......
}
output {
    elasticsearch {
        hosts => ["localhost:9200"] 
        index => "logstash-%{+YYYY.MM.dd}"
        document_type => "%{[@metadata][type]}"
    }
}

@metadata and document_type

Logstash remove type and keep _type

More articles: