Configure logstash with two same type sources

Hi there,
I'm trying to configure logstash for my application, in the case:

• Two sources with same type 'raw' (it's a type of buynan-logstash, a nodejs module)

input {
       tcp {
           type => "raw"
          port => 2101
       }
     tcp {
           type => "raw"
          port => 2102
       }
 }

• I want to separate into two indices, like this:

    output {
                 if [port] == 2101 {
                     elasticsearch {
                          index => "source1-%{+YYYY.MM.dd}"
                         hosts => ["localhost:9200"]
                     }
                 }
                 if [port] == 2102 {
                     elasticsearch {
                          index => "source2-%{+YYYY.MM.dd}"
                         hosts => ["localhost:9200"]
                     }
                 }
            }

However, it doesn't work. Only below works, although logs go into only one index:

  output {
         if [type] == 'raw' {
             elasticsearch {
                  index => "source12-%{+YYYY.MM.dd}"
                 hosts => ["localhost:9200"]
             }
         }
    }

Please help as I want to have two separated indices. Any recommendation would be appreciated!

The port value is not carried through with the event, it's simply a configuration value. You should add it to the type value with raw.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.