Currently I have filebeat on a server with multiple different application logs, so I have multiple prospectors grabbing and tagging the different application logs. The logs have different formats so one of them needs to be sent to logstash for filtering will the others are json so they can go directly to Elasticsearch.
My question is, is there a way to ensure the one log that needs filtering is only sent to logstash, not elasticsearch, and the logs that do not need filtering are sent only to Elasticsearch and not logstash. Currently I have something like this for my elasticsearch output
- index: "audience_backend-%{+yyyy.MM.dd}"
when.contains:
type: "audience_backend"- index: "audience_exceptions-%{+yyyy.MM.dd}"
when.contains:
type: "audience_exceptions"
The issue being is the third log that has a different type is still sent to Elasticsearch under the default filebeat index even though it does not match either of the above.