How can I parse 2 log files to 2 index in Kibana

MT2021 · August 17, 2021, 3:13pm

Hi ELK community,

I am a absolutely newbie in the Elasticsearch.
I am getting a stuck in creating 2 pipelines towards 2 indexes of 2 log file (2 services in corresponding).
My topo likes that: Filebeat ==> logstash ==> Elasticsearch==> Kibana.
In the filebeat.yml, i have a configuation to 2 files: (of course, I have comment output to Elasticsearch and uncomment to Logstash)

filebeat.inputs:
- type: log
  paths:
    - **/var/log/message**
  fields: {log_type: syslog}
- type: log
  paths:
    - **/var/log/apache2/access.log**
  fields:
    apache: true
  fields_under_root: true

In the logstash-sample.conf file, I have 3 parts:

input

input {
  beats {
    port => 5044
  }
}

filter

filter {
  if ([fields][log_type] == "syslog") {
   grok {
    match => { "message" => ['%{WORD:month} %{NUMBER:date} %{NOTSPACE:hour} %{NOTSPACE:hostname} %{GREEDYDATA:rest}'] }
    }
  }

  else if {
   grok {
    match => { "message" => ['%{COMBINEDAPACHELOG:message}'] }
    }
  }
}

Output

output {
  if ([fields][log_type] == "sys") {
    elasticsearch {
      hosts => ["http://localhost:9200"]
      index => "test"
    }
  }
  else if ([fields][log_type] == "apa") {
    elasticsearch {
      hosts => ["http://localhost:9200"]
      index => "apach"
    }
  }
}

Kindly help to figure out any my mistake and eventually, please help to share if you have any idea to approach my goal.
P/S: With single pipeline, i can do well.

Thanks in advance!

MT2021 · August 17, 2021, 3:42pm

Additional information
I got an issue. It seems it comes from pipeline and logstash configuration.
Now Logstash is continuously restarting by itself

Aug 17 22:36:21 thien-virtual-machine logstash[11138]: [2021-08-17T22:36:21,781][ERROR][logstash.agent           ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of [ \\t\\r\\n], \"#\", \"(\", \"!\", '\"', \"'\", \"-\", [0-9], \"[\", [A-Za-z_], '/' at line 17, column 11 (byte 345) after filter {\n  if ([fields][log_type] == \"syslog\") {\n   grok {\n    match => { \"message\" => ['%{WORD:month} %{NUMBER:date} %{NOTSPACE:hour} %{NOTSPACE:hostname} %{GREEDYDATA:rest}'] }\n    }\n  }\n\n  else if ", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:32:in `compile_imperative'", "org/logstash/execution/AbstractPipelineExt.java:187:in `initialize'", "org/logstash/execution/JavaBasePipelineExt.java:72:in `initialize'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:47:in `initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:52:in `execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:391:in `block in converge_state'"]}

Cad · August 18, 2021, 1:51pm

This condition is the source of your error.

MT2021 · August 18, 2021, 2:05pm

i don't know what it should be.
I have read some articles, else if { if correct format.

Cad · August 18, 2021, 2:21pm

According to the documentation a if need to be followed by an expression.

If you want to run the second grok plugin every time the [fields][log_type] don't contains syslog then only use else {

MT2021 · August 18, 2021, 2:31pm

Thanks for your document.
Let me try with else only.

system · September 15, 2021, 2:31pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Output logs to multiple index from logstash Logstash	7	5776	December 20, 2019
Multiple indices from one log file Beats filebeat	4	370	October 27, 2022
Multiple index in elasticsearch from filebeat Beats filebeat	4	3207	August 4, 2017
All files collected under on index only. Is it possible to have multiple indexes for multiple files? Logstash	76	2864	February 22, 2020
More indexes in Filebeat Kibana	6	392	August 21, 2018

How can I parse 2 log files to 2 index in Kibana

Related topics