In your case you only ever index an event to one index. If you have three output that creates three sets of connections to elasticsearch. If you use a sprintf reference to set the index name then you only need one set.
filter {
if [port] => "5140" {
mutate { add_field => { "[@metadata][indexPrefix]" => "jstest1" } }
} else if [port] => "5141" {
mutate { add_field => { "[@metadata][indexPrefix]" => "jstest2" } }
} else if [port] => "5142" {
mutate { add_field => { "[@metadata][indexPrefix]" => "jstest3" } }
}
}
output {
if [@metadata][indexPrefix] {
elasticsearch {
hosts => ["https://xxxx:9200", "https://xxxx:9200"]
user => "elastic"
password => "xxxxxxxx"
cacert => "/etc/logstash/certs/ca.crt"
index => "%{[@metadata][indexPrefix]}-%{+YYYY.MM.dd}"
action => "index"
}
}
}
As I said, that only works because one event only goes to one index. I cannot find it right now but someone recently asked a question where they had multiple elasticsearch outputs and the conditional for each one was if "someTag" in [tags]. That could result in an event going to multiple indexes, so those outputs could not be combined.