Dynamic index name

Elastic Stack Logstash
1

Hi!

I'm trying to dynamically set index names with if-cases in my logstash.conf file. Basically if file name is A then indexname should be A. But for some reason my variable (type) is not set or accessible when I get to the output section leaving me with an index name like : %{type}-2015-05-10

What am I doing wrong?

This is my config:

   input {
        file {
                path => "/somefolder/*.log"
                 start_position => beginning
                    sincedb_path => "somfilelocation"
            } 
    }
    
        filter {
            if [path] = condition_a {
            mutate { replace => { "type" => "ToBeIndexName" } }
        }

        elseif [path] = condition_b {
        mutate { replace => { "type" => "ToBeIndexName" } }

        } 

    Some parsing 

 

       output {
                elasticsearch {
                                index => "%{type}-%{+YYYY.MM.dd}"
                        }
    }
2

Start by using == as the equality operator instead of =. If that doesn't help I reckon it boils down to exactly what your conditionals look like, but as long as they're obfuscated we can't really help you.

3

Hi There, I am using below configuration file but index is not replaced.

input { file {
path => "inp_file.txt"
start_position => "beginning"
}
}

filter {

grok {
patterns_dir => ["./diag_patterns"]
match => { "message" => "%{GET_CPE_ID:cpe_id}" } } /this is fetching a number/
}

output {
elasticsearch {
hosts => ["localhost:9200"]
index => "%{cpe_id}" /This is not getting replaced/
}
stdout { codec => json }
}

json outfrom stdout is
{"path":"C:\Users\sushiku2\Downloads\ELK\Practice_Learn_ELK\DIAG_sample2.txt","@timestamp":"2017-06-01T10:02:59.296Z","@version":"1","host":"SUSHIKU2-MNFSN","cpe_id":"1638916117","message":"801998 !MIL -SPM_SERVER \t\t< p:0x00000612 P:MW t:0x02e49500 T:SPM_THREAD M:spm_ps.c F:SPM_PS_FillRequestParametersVOO L:3038 > Real CPE_ID=1638916117, Network ID=1320, HDDId=WD-WXC1A63N2060, First install=false","tags":["_grokparsefailure"]}

4

@Sushil_Kumar, please start new threads for new questions.