Field reference from _source for conditional output

alfianaf · September 23, 2021, 4:32am

I used the bottom one from you've recommended,
sorry if my information before is not complete enough
here was my config :

if "iris-uat" in [openshift][kubernetes][namespace_name] {
		elasticsearch {
			hosts => ["xxx:9200"]
            index => "iris-uat-%{+YYYY.MM}"
		}
	}
else if "iris" in [openshift][kubernetes][namespace_name] {
		elasticsearch {
			hosts => ["xxx:9200"]
            index => "iris-dev-%{+YYYY.MM}"
		}
	}

I think the anomaly happened because "iris" and "iris-uat" is counted as same because I used "in" conditional,
rather I use "==" conditional to add tag and then use "in" conditional for the output

here's my code on my filter section:

		if [openshift][kubernetes][namespace_name] == "iris" {
			mutate { add_tag => "iris" }
		} else if [openshift][kubernetes][namespace_name] == "iris-uat" {
			mutate { add_tag => "iris-uat" }
		}

and this on my output section :

if "iris" in [tags] {
		elasticsearch {
			hosts => ["xxx:9200"]
            index => "iris-dev-%{+YYYY.MM}"
		}
	}
	else if "iris-uat" in [tags] {
		elasticsearch {
			hosts => ["xxx:9200"]
            index => "iris-uat-%{+YYYY.MM}"
		}
	}
    else {
        #stdout { codec => rubydebug }
        elasticsearch {
            hosts => ["xxx:9200"]
            index => "iris-new-%{+YYYY.MM}"
        }
    }

Now it is fixed, thanks for your explanation, because now I can clearly know how the syntax work

Topic		Replies	Views
Outputting into different indices based on source Logstash	1	229	October 25, 2019
Conditional Index Value in output Logstash	3	778	October 28, 2019
Elasticsearch index based on source field Logstash	2	2489	September 14, 2017
Conditional index in output Logstash	1	737	July 11, 2020
Output data in multiple indices based on fields Logstash	3	2919	January 15, 2018

Field reference from _source for conditional output

Related topics