Given the following Logstash filter configuration, what will be the value of the message field after processing?
filter { mutate { add_field => { "message" => "Hello" } } mutate { update => { "message" => "%{message} World" } } }
Remember that update replaces the field value and supports field references.
The first mutate adds the field message with value "Hello". The second mutate updates message by appending " World" using the field reference %{message}. So the final value is "Hello World".
In Logstash, which plugin type is used to send processed data to Elasticsearch?
Think about the plugin that handles where data goes after processing.
Output plugins in Logstash send data to destinations like Elasticsearch, files, or other systems.
Consider this Logstash filter snippet. What error will Logstash raise when processing?
filter { if [nonexistent_field] == "value" { mutate { add_field => { "new_field" => "test" } } } }
Logstash conditions on missing fields usually do not cause errors.
If the field does not exist, the condition evaluates to false and the block is skipped without error.
Given this Logstash filter configuration, how many events will be output for one input event?
filter { split { field => "tags" } }
The split filter creates one event per element in the specified field array.
The split filter breaks an array field into multiple events, one per element.
Examine this Logstash pipeline configuration snippet. Why will Logstash fail to start?
input { stdin {} } filter { mutate { add_field => { "field1" => "value1" } } } output { elasticsearch { hosts => ["http://localhost:9200"] index => "myindex" user => "elastic" } }
Check required authentication parameters for Elasticsearch output plugin.
The Elasticsearch output plugin requires both user and password if authentication is enabled. Missing password causes startup failure.