Hi
I have a requirement of creating the index based on the filed in the message
for example my grok is as below
(?:%{WORD:method}|-)(?:%{NOTSPACE:Appname}|-)
so in my message i have a set of Appname's, so i need to index the data into ES as per the Appname , so is there any way i can do this
Thanks
Yes, you can use a "sprintf" reference to the application name.
output {
elasticsearch {
index => "%{Appname}"
...
}
}
Just be aware that having a large number of small indexes adds a lot of performance overhead. But if you only have a small number of values for Appname this should be OK.
That would be an elasticsearch question, not a logstash question.
so now i need to add a condition here that if its a specific Appname that has uppercase in it, it has to be indexed as default logstash-* and if its a lower case then it has to be the index as index => "%{Appname}"
any option for this ?
I just mutated every thing with lowercase to avoid index failure 
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.