How can I indexing logs separate by their loggedtime(datetime)

I have 3 log files which is like this
logstash-2020.10.01
logstash-2020.10.02
logstash-2020.10.03
when I run logstash (run logstash.conf pipeline) it indexing all logs in one index.
but i want to index them by the their day so it will easy to see particular day logs and not mixing up all in one index
so how can i do that?

If you turn off ILM then the default index name logstash-%{+yyyy.MM.dd} is based on the value of the @timestamp field.

If you really want the index name based on the filename then use whatever field contains the filename (possibly [path] or [log][file][path]) to set the index option on the logstash output.

I defined index name but it won't indexing

here is logstash.conf pipeline

input {
beats {
port => 5044
}
}
filter{
if "gbase" in [fields][log_type]
{
if [level] in [ "Error", "Fatal" ]
{
grok { match=> ["message","%{DATESTAMP:timestamp} %{LOGLEVEL:level} %
{USERNAME:logger} %{USER:user} %{URI:url} %{USER:method} %{IPV4:clientIp} %{GREEDYDATA:message}"] }
}
else{
grok { match=> ["message","%{DATESTAMP:timestamp} %{LOGLEVEL:level} %{USERNAME:logger} %{USER:user} %{GREEDYDATA:message}" ] }
}
}
if "finance" in [fields][log_type]
{
if [level] in [ "Error", "Fatal" ]
{
grok { match=> ["message","%{DATESTAMP:timestamp} [%{WORD:processId}] %{LOGLEVEL:level} %{USERNAME:logger} %{USER:user} %{URI:requestUrl} %{USER:method} %{IPV4:clientIp} %{GREEDYDATA:message}"]}
}
else{
grok { match=> ["message","%{DATESTAMP:timestamp} [%{WORD:processId}] %{LOGLEVEL:level} %{USERNAME:logger} %{USER:user} %{IPV4:clientIp} %{GREEDYDATA:message}" ]}
}
}
date {
match => [ "timestamp", "yyyy-MM-dd HH:mm:ss,SSS" ]
#match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
target=> "@timestamp"
}
}
output {
if "finance" in [fields][log_type]
{
elasticsearch
{
hosts => ["http://localhost:9200"]
#index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
index => "finance-%{+YYYY.MM.dd}"
user => ""
password => "
"
}
}
if "gbase" in [fields][log_type]
{
elasticsearch
{
hosts => ["http://localhost:9200"]
#index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
index => "gbase-%{+YYYY.MM.dd}"
user => ""
password => "
"
}
}
stdout { codec => rubydebug }
}

here is filebeat.yml

filebeat.inputs:

  • type: log
    enabled: true
    paths:
    • D:\Git\gbase.API\Logs*.log
      fields:
      {log_type: gbase}
  • type: log
    enabled: true
    paths:
    • D:\Git\finance.api\FinanceAPI\logs*.log
      fields:
      {log_type: finance}

multiline.pattern: '^[[:space:]]'
multiline.negate: false
multiline.match: after

but i can't see index in kibana which is defined in output section

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.