Different types of json logs to different ES indices without using Logstash

soumen · September 20, 2018, 5:22pm

Hi,

I have two different types of json logs (with different fields) which I need to send to two different ES indices. I want to avoid having to setup Logstash just to do this via conditional processing or having to install separate instances of Filebeat. Is this possible with version 6.x?

I have looked at these previous questions: Multiple elasticsearch output configuration and Output different prospectors' logs to different Elasticsearch indices? - just checking if things have improved since then.

ruflin · September 25, 2018, 5:55am

I wonder if indices config option is the feature you are looking for? https://www.elastic.co/guide/en/beats/filebeat/current/elasticsearch-output.html#_literal_indices_literal

soumen · September 25, 2018, 8:45am

I did check that link before and I thought it was exactly what I was after. However, the key point here is that the fields of the two logs is entirely different and this link gives me the impression that the input structure is same; it just creates separate indices based on separate criteria - sort of like creating separate tables based on separate "where" clauses but the fields are same.

Please correct me if my impression is wrong.

system · October 23, 2018, 8:45am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.