Clarification on if/else behavior in output

Heya all,

I want to confirm whether the particular behavior i'm seeing is normal and if there is another approach I should take towards my config.

Situation is that I have multiple inputs on a single pipeline, and am adding a field to the inputs based on the log type so I can process filters accordingly (time/date format, grok, etc)

Based on the same fields, I output using if/else to go to different indexes. Example of configuration below;

output {
  if [fields][log_type] == "type1" {
elasticsearch {
  hosts => ["http://10.250.11.22:9200"]
  index => "type1-%{+YYYY.MM.dd}"
}
  }

  if [fields][log_type] == "type2" {
elasticsearch {
  hosts => ["http://10.250.11.22:9200"]
  index => "type2-%{+YYYY.MM.dd}"
}
  }

  if [fields][log_type] == "type3" {
elasticsearch {
  hosts => ["http://10.250.11.22:9200"]
  index => "type3-%{+YYYY.MM.dd}"
}
  }

  if [fields][log_type] == "type4" {
elasticsearch {
  hosts => ["http://10.250.11.22:9200"]
  index => "type4-%{+YYYY.MM.dd}"
}
  }

  else {
elasticsearch {
  hosts => ["http://10.250.11.22:9200"]
  index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
}
  }
}

This works well, however I am getting all of the logs outputting to the index specified in else as a secondary (ie. filebeat-7.3.1-2019.09.23)

Ideally, I only want the else to be used in the case that there is no output type specified for my logs. Is this possible?

Hi @TechGeekNZ,

You need to add if and else if condition. Please try it with below format and let me know in case of any issue you are facing.

if ... {
  ...
} else if ... {
  ...
} else {
  ...
} 

Regards,
Harsh Bajaj

Great,

Thanks for the Harsh. It worked a treat. The penny should have dropped on that one, however what I had tried was doing an 'else if' on the final output and of course the configuration file wouldn't load

Cheers

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.