How to configure ELK (Elasticsearch, Logstash,Kibana) for different application log files and display each application separately in Kibana?

magnusbaeck · January 4, 2017, 1:11pm

is this my else condition which cause logstash-* index ?

It sounds like you effectively have this:

output {
  if [type] == "OnsuranceAppLog" {
    elasticsearch { 
      hosts => ["localhost:9200"] 
      index => "onsurance-%{+YYYY.MM.dd}"
    }
  } else {
    elasticsearch {
      hosts => ["localhost:9200"]
    }
    stdout { codec => rubydebug }
  }
  if [type] == "iis" {
    elasticsearch { 
      hosts => ["localhost:9200"] 
      index => "iis-%{+YYYY.MM.dd}"
    }
  } else {
    elasticsearch {
      hosts => ["localhost:9200"]
    }
    stdout { codec => rubydebug }
  }
}

In that case yes, the else block is the problem. All messages will reach it.

another question is, how can i tell ES to keep index of only last 30 days? and delete everything which is older than 30 days. I know you can fire a query to ES but is there any Setting which i can set once and it does the magic?

There's no setting but the Curator program can do this for you.

Topic		Replies	Views
Logstash - Configuration Logstash	7	285	June 18, 2018
Remote IIS logs into ELK Stack? Beats filebeat	5	5533	July 5, 2017
Clarification on logstash configuration Logstash	3	234	October 21, 2019
Kibana: Creating Selected Fields Logstash	8	1914	May 16, 2017
IIS logs showing as a string Logs	4	1695	December 7, 2021

How to configure ELK (Elasticsearch, Logstash,Kibana) for different application log files and display each application separately in Kibana?

Related topics