How create 2 different indexs with same file source?

Elastic Stack Logstash
1

this is my conf file and it's ok i've created an index with only errors match
but now it's possible create a second indexs with file warning or custom?

code => "event.cancel if not event.get('message').include? 'WARN' " 
.....

elasticsearch {
			hosts => ["elasticsearch:9200"]
			index => "warn"  ?????? other index file??? is possible
		}

my file logstash.conf

input {
  file {
    path => [ "/logstash_dir/P1/*.*",
                     "/logstash_dir/P2/*.*" ]
      start_position => "beginning"
  }
}

filter {
  
   ruby {
    
             code => "event.cancel if not event.get('message').include? 'ERROR' " 
       
         }
}

output {

		elasticsearch {
			hosts => ["elasticsearch:9200"]
			index => "errors"
		}
		stdout { codec => rubydebug }	
	
}
2

You could remove the ruby filter and do something like

3

hello very good but is possible use (ruby or other sintax ) for personalize other type of index?

example

  1. if I would like to create separate indexes based on the path of origin
  2. if I would like to create separate indexes based on advanced text contains
4

You can use conditionals with multiple branches. See this thread.

Splitting your data into a large number of small indexes is not a good practice because a large number of indexes/shards is more costly than a single index with tagged events.

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.