Thanks again badger, something like this? sorry to bother you again badger but right know i dont have acces to logstash, and tomorrow I have to do this in the least time posible.
input {
file {
path => "some_path/uptime*"
add_field => {"server" => "some_server" }
add_field => {"application" => "uptime" } #this is not part of the conditional
}
file {
path => "some_other_path/uptime*"
add_field => {"server" => "some_other_server" }
add_field => {"application" => "uptime" } #this is not part of the conditional
}
}
filter {
if [application] == "uptime" {
grok {...}
}
}
output{
if [application] == "uptime" {
elasticsearch {
hosts => ["elastic:9200"]
index => "uptime-%{+YYYY.MM.dd}"
}
}
}
That looks like it would work, but I am unclear why you would make everything conditional when they all appear to satisfy the same condition. Adding tags and testing for the tags being there appears to be a no-op.
Do you mean the "if [application] == "uptime"" on the filter and the ouput?
the person that was working before me in logstash didnt use pipelines.yml to run multiples pipelines, use another method, I think he ran multiples pipelines on one .conf, so to avoid data mixing he use the conditionals, I picked up the same practice by ignorance I think, and because I use the "application" field when I do requests in the elastic api, but you are right, im gonna get rid of the conditionals and simply add the field....Thanks again Badger, as always you are very helpful.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.