Am I misunderstanding if/else statements?

helium · March 9, 2017, 4:49am

Hi,

I have a bunch of logstash (2.4.0) nodes with this output config:
output { if [environment] == "stage" { elasticsearch { hosts => [ "elasticsearch-01" ] index => "logstash-stage-%{+YYYY.MM.dd}" } } else { elasticsearch { hosts => [ "elasticsearch-01" ] index => "logstash-%{+YYYY.MM.dd}" } } }
The idea is of course that logs with the environment field set to stage should go into the logstash-stage index. This is not working as intended because it goes to both indices i.e. the same event is found under both logstash-stage and logstash-. This only happens for events with environment == stage, other events only goes to logstash- as they should. What am I doing wrong?

Thanks,

magnusbaeck · March 9, 2017, 2:22pm

Your configuration looks correct. If you're storing your configuration file(s) in /etc/logstash/conf.d, do you have any other files there (like one with an elasticsearch output)? Logstash will read all files in that directory.

helium · March 9, 2017, 10:41pm

I figured it out... it's in the right index but Kibana evaluates both indices since logstash-* ofcourse matches logstash-stage-%{+YYYY.MM.dd} too. I renamed the stage one to logstage and all is good.

Thanks!

system · April 6, 2017, 10:41pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.