File output to multiple files

romariol · March 11, 2019, 10:03am

I have a Logstash conf where I split an incoming XML into multiple events. I would like to write a file per event. However, the file output writes all the events to a single file (so an event per line). Is there a way to achieve this?

filter {

xml{
   store_xml => "false"
   source => "message"
remove_namespaces => true
xpath => 
 [
"/root/Envelope", "Envelopes"         
   ]
  }

mutate {
    remove_field => ["message"]
  }

 split{
  field => "Envelopes"
 }
}

output {
file {
path => "/install/logstash/output-CL102-%{+yyyyMMddHHmmss}.xml"
}
}

Thanks

yaauie · March 12, 2019, 1:11am

If the sprintf format string provided to the file output plugin's path directive creates unique value per event, then you will effectively write exactly one event per file.

One way to create a unique field on an event is with the Fingerprint Filter Plugin.

system · April 9, 2019, 1:11am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.