Creating single index only

Gaurav_Harsola · May 2, 2016, 12:34pm

Hi ,

I have following conf file.

It create only one index (auth1) in my elastisearch not the other one .

input {
file {
type => "Apache"
path => "/home/test/test1.log"
start_position => beginning
}
file {
type => "Auth"
path => "/var/log/auth.log"
start_position => beginning
}
}

filter {

if [type] == "Apache" {
grok {
match => { "message" => '%{IPORHOST:clientip} %{USER:ident} %{USER:auth} [%{HTTPDATE:timestamp}] "%{WORD:verb} %{DATA:request} HTTP/%{NUMBER:httpversion}" %{N
UMBER:response:int} (?:-|%{NUMBER:bytes:int}) %{QS:referrer} %{QS:agent}'}
}

date {
match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
}

geoip {
source => "clientip"
target => "geoip"
database => "/home/Downloads/test/GeoLiteCity.dat" # e.g. database =>"E:/logstash/GeoLiteCity.dat"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}

mutate {
convert => [ "[geoip][coordinates]", "float" ]
}

}

if [type] == "Auth" {
grok {
match => { "message" => '%{SYSLOGBASE} %{GREEDYDATA:logline}' }
}

}

output {
if [type] == "Apache" {
stdout { codec => rubydebug }
elasticsearch {
hosts => "localhost:9200"
index => "apache1"
}

}
if [type] == "Auth" {
stdout { codec => rubydebug }

elasticsearch {
hosts => "localhost:9200"
index => "auth1"
}

}
}

Please help me in this !!

Thanks
Gaurav

pierhugues · May 2, 2016, 3:14pm

If you only keep the stdout config in the first elasticsearch block, do you see some output?

Gaurav_Harsola · May 2, 2016, 3:43pm

i didn't get you . Can you please elaborate a little

Thanks
Gaurav

Gaurav_Harsola · May 3, 2016, 3:40am

Hi,

output {
stdout {codec => rubydebug}
if [type] == "Apache" {
elasticsearch {
hosts => "localhost:9200"
index => "apache2"
}
} else {
elasticsearch {
hosts => "localhost:9200"
index => "auth2"
}
}
}

I have used this syntax .still it is creating only auth2 index