How can I indexing logs separate by their loggedtime(datetime)

Bhavin_Varsur · October 3, 2020, 12:34pm

I have 3 log files which is like this
logstash-2020.10.01
logstash-2020.10.02
logstash-2020.10.03
when I run logstash (run logstash.conf pipeline) it indexing all logs in one index.
but i want to index them by the their day so it will easy to see particular day logs and not mixing up all in one index
so how can i do that?

Badger · October 3, 2020, 1:22pm

If you turn off ILM then the default index name logstash-%{+yyyy.MM.dd} is based on the value of the @timestamp field.

If you really want the index name based on the filename then use whatever field contains the filename (possibly [path] or [log][file][path]) to set the index option on the logstash output.

Bhavin_Varsur · October 3, 2020, 5:39pm

I defined index name but it won't indexing

here is logstash.conf pipeline

input {
beats {
port => 5044
}
}
filter{
if "gbase" in [fields][log_type]
{
if [level] in [ "Error", "Fatal" ]
{
grok { match=> ["message","%{DATESTAMP:timestamp} %{LOGLEVEL:level} %
{USERNAME:logger} %{USER:user} %{URI:url} %{USER:method} %{IPV4:clientIp} %{GREEDYDATA:message}"] }
}
else{
grok { match=> ["message","%{DATESTAMP:timestamp} %{LOGLEVEL:level} %{USERNAME:logger} %{USER:user} %{GREEDYDATA:message}" ] }
}
}
if "finance" in [fields][log_type]
{
if [level] in [ "Error", "Fatal" ]
{
grok { match=> ["message","%{DATESTAMP:timestamp} [%{WORD:processId}] %{LOGLEVEL:level} %{USERNAME:logger} %{USER:user} %{URI:requestUrl} %{USER:method} %{IPV4:clientIp} %{GREEDYDATA:message}"]}
}
else{
grok { match=> ["message","%{DATESTAMP:timestamp} [%{WORD:processId}] %{LOGLEVEL:level} %{USERNAME:logger} %{USER:user} %{IPV4:clientIp} %{GREEDYDATA:message}" ]}
}
}
date {
match => [ "timestamp", "yyyy-MM-dd HH:mm:ss,SSS" ]
#match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
target=> "@timestamp"
}
}
output {
if "finance" in [fields][log_type]
{
elasticsearch
{
hosts => ["http://localhost:9200"]
#index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
index => "finance-%{+YYYY.MM.dd}"
user => ""
password => ""
}
}
if "gbase" in [fields][log_type]
{
elasticsearch
{
hosts => ["http://localhost:9200"]
#index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
index => "gbase-%{+YYYY.MM.dd}"
user => ""
password => ""
}
}
stdout { codec => rubydebug }
}

here is filebeat.yml

filebeat.inputs:

type: log
enabled: true
paths:
- D:\Git\gbase.API\Logs*.log
  fields:
  {log_type: gbase}
type: log
enabled: true
paths:
- D:\Git\finance.api\FinanceAPI\logs*.log
  fields:
  {log_type: finance}

multiline.pattern: '^[[:space:]]'
multiline.negate: false
multiline.match: after

but i can't see index in kibana which is defined in output section

system · October 31, 2020, 5:39pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.