Duplicating Event To Multiple Indices

wwalker · May 9, 2023, 2:39pm

I have events coming in with an ID of 123. Is it possible to have this event indexed into two different indices by doing something like below?

output {
  if [log] == 123 {
    elasticsearch {
      index => "123logs"
    }
  }
  elasticsearch {
    index => "all_logs"
  }
}

Badger · May 9, 2023, 3:19pm

Yes, you can use conditionals to route some messages to multiple outputs.

wwalker · May 10, 2023, 4:02pm

So, just to be clear, an event continues to process all outputs until there are none left, it does not stop processing outputs on first match?

Badger · May 10, 2023, 4:18pm

That is correct.

system · June 7, 2023, 4:19pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Cross contamination of events in multiple indexes Elasticsearch	4	506	June 14, 2017
How to push same document into multiple indexes? Logstash	7	3285	September 19, 2018
Two outputs with different data Logstash	4	531	May 20, 2018
Multiple Indices in Output not working Logstash	3	538	July 6, 2017
Reindex a subset of data to a different index Logstash	3	328	July 14, 2020