Filebeat store under different index per host?

xon · May 10, 2017, 2:45pm

Hi,

I am having different instances of filebeat running sending different logs and i want to output to elasticsearch and index per host. Is this a nested if statement and which field should I cross reference? Is it possible for someone to provide me a short example?

Thanks

giuseppe · May 10, 2017, 8:15pm

Would you be able to use beat.hostname?

https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-beat.html#_beat_hostname

xon · May 11, 2017, 10:24am

Thanks for your help. Still this doesnt work

output {
elasticsearch {
if beat.hostname == "testinghost1" {
hosts => "192.168.0.1:9200"
manage_template => true
index => "testing-%{+YYYY.MM.dd}"
}
}
}

Error says:
ERROR logstash.agent - Cannot create pipeline {:reason=>"Expected one of #, => at line 28, column 8 (byte 478) after output {\n elasticsearch {\n if "}

i went over this here ==> Question: Using the beat.hostname variable in Logstash config · Issue #869 · elastic/beats · GitHub

where it says

"I also had to switch from the field syntax beat.hostname to [beat][hostname] to get it to work with the file output properly" Stiill it doesnt work

steffens · May 11, 2017, 10:37am

please add some more details about your environment. It was so not clear you're trying to filter events in Logstash.

Your syntax for the field accessor is incorrect. I think in Logstash you have to use [beat][hostname].

xon · May 11, 2017, 10:42am

I tried that and still it doesnt work. Line 28 is where the if statement is...

output {
elasticsearch {
if [beat][hostname] == "testinghost" {
hosts => "192.168.0.1:9200"
manage_template => true
index => "testing-%{+YYYY.MM.dd}"
document_type => "apache"
}
}
}

Basically there is filebeat running in two different web servers and I want to index their data separately. My filebeat part is looking alright since I can index everything together under a single index however I need to create two different.

Thanks

steffens · May 11, 2017, 10:07pm

what exactly do you mean by "doesn't work"? Any error message?

This doc shows how to use conditionals in Logstash.

Have you verified the events matching structure and content as you expect?

system · June 8, 2017, 10:21pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to separate index of filebeat coming from 2 or more hosts Beats filebeat	11	4790	November 15, 2018
If/Else condition for Output to Elasticsearch Beats docker , filebeat	4	2899	July 12, 2021
Multiple Indexes in logstash from multiple filebeats -hostname Logstash	2	1675	July 10, 2017
Logstash from multiple beats server Logstash	2	185	February 16, 2023
Create index for filebeat with idicated host or log path Kibana	12	1632	November 21, 2020

Filebeat store under different index per host?

Related Topics