I have events coming in with an ID of 123. Is it possible to have this event indexed into two different indices by doing something like below?
output {
if [log] == 123 {
elasticsearch {
index => "123logs"
}
}
elasticsearch {
index => "all_logs"
}
}
Yes, you can use conditionals to route some messages to multiple outputs.
So, just to be clear, an event continues to process all outputs until there are none left, it does not stop processing outputs on first match?
That is correct.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.