Can you use variables in logstash to account for multiple WebSphere hosts?

I currently have logstash configured to process WebSphere SystemOut.log files. No issues there. I have created a mutate construct within the filter section to enable us to add hostname, nodename, etc., so that we can properly separate things in Elasticsearch when we perform our analysis.

But, as we are going to switch to multiple WebSphere hosts using Filebeats I am trying to think through how best to ensure that 'host/node/AppServer' type information is included into the indexing scheme.

Can I / should I configure the 'tags' in filebeat to include the information I desire and then include this information into a logstash variable?

As this information isn't within the SystemOut.log file I'm trying to strategize on the best way to accomplish this.

How are others accomplishing this and/or what options should I pursue?

Thanks.

Whenever possible, set those fields as close to the source as possible. Filebeat should automatically populate the hostname, and setting additional fields to indicate the application name or whatever should also be done on the Filebeat side. It's hard to get more specific than that without knowing more about what fields you need and in what context(s) the data for the field is known.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.