How create 2 different indexs with same file source?

Nikolas1306 · September 30, 2022, 3:56pm

this is my conf file and it's ok i've created an index with only errors match
but now it's possible create a second indexs with file warning or custom?

code => "event.cancel if not event.get('message').include? 'WARN' " 
.....

elasticsearch {
			hosts => ["elasticsearch:9200"]
			index => "warn"  ?????? other index file??? is possible
		}

my file logstash.conf

input {
  file {
    path => [ "/logstash_dir/P1/*.*",
                     "/logstash_dir/P2/*.*" ]
      start_position => "beginning"
  }
}

filter {
  
   ruby {
    
             code => "event.cancel if not event.get('message').include? 'ERROR' " 
       
         }
}

output {

		elasticsearch {
			hosts => ["elasticsearch:9200"]
			index => "errors"
		}
		stdout { codec => rubydebug }	
	
}

Badger · September 30, 2022, 4:25pm

You could remove the ruby filter and do something like

Nikolas1306:

output {
    if "ERROR" in [message] {
		elasticsearch {
			hosts => ["elasticsearch:9200"]
			index => "errors"
		}
    } else {
		elasticsearch {
			hosts => ["elasticsearch:9200"]
			index => "other"
		}
    }
		stdout { codec => rubydebug }
}

Nikolas1306 · September 30, 2022, 4:47pm

hello very good but is possible use (ruby or other sintax ) for personalize other type of index?

example

if I would like to create separate indexes based on the path of origin
if I would like to create separate indexes based on advanced text contains

Badger · September 30, 2022, 5:07pm

You can use conditionals with multiple branches. See this thread.

Splitting your data into a large number of small indexes is not a good practice because a large number of indexes/shards is more costly than a single index with tagged events.

system · October 28, 2022, 5:08pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.