Using Logstash, I found very useful to separate my configuration files between inputs, filters and outputs. For example, the easiest would be to have 3 files :
-
/etc/logstash/inputs.conf
-
/etc/logstash/filters.conf
-
/etc/logstash/outputs.conf
The direct benefit is that you can now easily write test for the filters part using rspec and run it with logstash bin/logstash rspec spec/filters_spec.rb
to validate your configuration after changes
When you do not know the event format produced by your inputs, a good solution to build samples is to use a specific config with no filters and a single debug input, like
input {
#add the input config to analyse
}
output {
stdout {
codec => rubydebug
}
}