What is the right way for version 7.4 to add feilds in filebeat and then connect it with logstash.conf file so each log file has its own index created in ES?
Below is logstash.conf
input {
beats {
port => 5044
}
}
filter {
if[type] =="DispatcherApp"{
grok {
match => {"message" => "%{COMBINEDAPACHELOG}"}
}
} else if [type] == "IncidentAgent" {
grok {
match => { "message" => "%{COMBINEDAPACHELOG}" }
}
}
}
output {
elasticsearch {
hosts => ["http://localhost:9200"]
sniffing => true
manage_template => false
index => "dispatcher-%{+YYYY.MM.dd}"
#index => "web-%{type}"
#document_type => "log"
#index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
}
}
And here is filebeat.yml
filebeat.inputs:
-
paths:
- E:\DemoSetup\DispatcherApp\logs\dispatcher-scheduler.log
input_type: log
fields:
dispatcher: true
fields_under_root: true
-
paths:
- E:\DemoSetup\Incident Agent\Logs\Trace.log
input_type: log
fields:
trace: true
fields_under_root: true
setup.template.name: "index-%{[beat.version]}"
setup.template.pattern: "index-%{[beat.version]}-*"
output:
logstash:
hosts: ["localhost:5044"]
@andrewkroh I read your pull from github but the document_type and formaating there is for older version and doesnt create separate index in ES. Thanks for your help in advance.