The Logstash event processing pipeline has three stages, that is, Inputs, Filters, and Outputs. A Logstash pipeline has two required elements, that is, input and output, and one option element known as filters:
Inputs create events, Filters modify the input events, and Outputs ship them to the destination. Inputs and outputs support codecs, which allow you to encode or decode the data as and when it enters or exits the pipeline, without having to use a separate filter.
Logstash uses in-memory bounded queues between pipeline stages by default (Input to Filter and Filter to Output) to buffer events. If Logstash terminates unsafely, any events that are stored in memory will be lost. To prevent data loss, you can enable Logstash to persist in-flight events to the disk by making use of persistent queues.
By default, Logstash starts with a heap size of 1 GB. This can be overridden by setting the Xms and Xmx properties in the jvm.options file, which is found under the LOGSTASH_HOME/config folder.
The Logstash pipeline is stored in a configuration file that ends with a .conf extension. The three sections of the configuration file are as follows:
input
{
}
filter
{
}
output
{
}
Each of these sections contains one or more plugin configurations. A plugin can be configured by providing the name of the plugin and then its settings as a key-value pair. The value is assigned to a key using the => operator.
Let's use the same configuration that we used in the previous section, with some little modifications, and store it in a file:
#simple.conf
#A simple logstash configuration
input {
stdin { }
}
filter {
mutate {
uppercase => [ "message" ]
}
}
output {
stdout {
codec => rubydebug
}
}
Create a conf folder under LOGSTASH_HOME. Create a file called simple.conf under the LOGSTASH_HOME/conf folder.
You may notice that this file contains two required elements, input and output, and that the input section has a plugin named stdin which accepts default parameters. The output section has a stdout plugin which accepts the rubydebug codec. stdin is used for reading input from the standard input, and the stdout plugin is used for writing the event information to standard outputs. The rubydebug codec will output your Logstash event data using the Ruby Awesome Print library. It also contains a filter section that has a mutate plugin, which converts the incoming event message into uppercase.
Let's run Logstash using this new pipeline/configuration that's stored in the simple.conf file, as follows:
E:logstash-7.0.0in>logstash -f ../conf/simple.conf
Once Logstash has started, enter any input, say, LOGSTASH IS AWESOME, and you should see the response, as follows:
{
"@version" => "1",
"host" => "SHMN-IN",
"@timestamp" => 2017-11-03T11:42:56.221Z,
"message" => "LOGSTASH IS AWESOME "
}
As seen in the preceding code, along with the input message, Logstash automatically adds the timestamp at which the event was generated, and information such as the host and version number. The output is pretty printed due to the use of the rubydebug codec. The incoming event is always stored in the field named message.