File output to multiple files

romariol · March 11, 2019, 10:03am

I have a Logstash conf where I split an incoming XML into multiple events. I would like to write a file per event. However, the file output writes all the events to a single file (so an event per line). Is there a way to achieve this?

filter {

xml{
   store_xml => "false"
   source => "message"
remove_namespaces => true
xpath => 
 [
"/root/Envelope", "Envelopes"         
   ]
  }

mutate {
    remove_field => ["message"]
  }

 split{
  field => "Envelopes"
 }
}

output {
file {
path => "/install/logstash/output-CL102-%{+yyyyMMddHHmmss}.xml"
}
}

Thanks

yaauie · March 12, 2019, 1:11am

If the sprintf format string provided to the file output plugin's path directive creates unique value per event, then you will effectively write exactly one event per file.

One way to create a unique field on an event is with the Fingerprint Filter Plugin.

system · April 9, 2019, 1:11am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash + XML + Multiple split Logstash	2	327	April 1, 2022
S3 output event per file Logstash	2	264	February 23, 2021
Create multiple events/docs from a single line Logstash	1	841	July 6, 2017
Multiple events in the same input XML Logstash	9	1342	April 6, 2018
Logstash, split event from an xml file in multiples documents keeping information from root tags Logstash	9	3265	July 6, 2017

File output to multiple files

Related topics