Filebeat with Nginx, how to differentiate 2 files?

(Gabriel Tessier) #1

Good evening,

I use Filebeat for nginx files with ingest, here my filebeat config file:

  "output.elasticsearch": {
    "hosts": [
    "template.enabled": false,
    "index": "prod-%{+yyyy.MM.dd}"
  "filebeat.modules": [
      "access": {
        "enabled": true,
        "var.paths": [
        "encoding": utf-8
      "module": "nginx"
  "logging.to_files": false,
  "logging.files": null,
  "tags": ["prod", "service_prod"]

Everything work perfectly, I receive the content of both files in my index, my problem is how can I make a difference between the data coming from access-http and the data from access-https?
I tried several key like "document-type", "input-type" duplicate the "access" key inside modules array, also tried to define prospector key, I didn't get error but the value in kibana (and elastic) for type field is always log!!

Which key I need to define to differentiate the data coming from this 2 files, where and what to split to do it?

Thanks for any help.

(ruflin) #2

You should have a field source in each event which contains the full file path.

(Gabriel Tessier) #3

Yes, you are great!! Big thanks.

I need new glasses! :grinning:

(system) #4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.