Hello,
I am looking for some help in creating a muliple indexes in ES with just single logstash config file. All dev logs should go to dev index , all sys logs should to sys index and uat logs to uat index.
The logstash input will be just running on single port example 5043 and the filter remains same for all env, Is there way we can configure only the output sections and route the logs based on hosts ? or any other way ? . I am putting logstash config below , any help will greatly appreciated,
Plese NOTE the below didnot work , everything is going to sys-* index.
input {
lumberjack {
port => "5043"
ssl_certificate => "/opt/lumberjack.crt"
ssl_key => "/opt/lumberjack.key"
}
}
filter {
if [type] =~ "liberty_*" {
if [type] == "liberty_accesslog" {
json {
source => "message"
remove_field => [ "message" ]
}
}
else if [type] == "liberty_trace" {
json {
source => "message"
}
}
else if [type] == "liberty_message" {
json {
source => "message"
}
}
else if [type] == "liberty_ffdc" {
json {
source => "message"
}
}
}
}
output {
if ([host] == "host1" or [host] == "host2"){
elasticsearch {
hosts => "localhost:9200"
template => "liberty_logstash_template.json"
template_overwrite => "true"
index => "dev-%{+YYYY.MM.dd}"
}
}else {
elasticsearch {
hosts => "localhost:9200"
template => "liberty_logstash_template.json"
template_overwrite => "true"
index => "sys-%{+YYYY.MM.dd}"
}
}
}