How to create multiple separate index using single conf file in logstash through filebeat?

KRISHNA_KUMAR1 · June 14, 2023, 8:31am

Hi,

I want to create separate indices based on the condition of the logs, for example if my log consist of api1 then it should create index named "api1" and if it consist api2 then create another index named "api2".
Please see the below log and conf for the reference

Log :
xx.xxx.x.x j.d [2023-06-12 10:15:20] "GET /api1/aa/1" 200 278
xx.xxx.x.x j.d [2023-06-12 10:16:21] "GET /api2/aa/1" 201 165
xx.xxx.x.x j.d [2023-06-12 10:17:21] "GET /api3/aa/1" 201 175

Conf :

input {
  beats {
    port => xxxx
  }
}

filter {
      grok {
      match => { "message" => "%{IP: } %{USERNAME: } \[%{TIMESTAMP_ISO8601:timestamp}\] \"%{WORD:http_method} %{PATH: path} HTTP/%{NUMBER: }\" %{NUMBER: } %{NUMBER: }" }
    }
    if [api_path] =~ ^/api1 {
      mutate {
        add_field => { "[@metadata][index_name]" => "api1-logs-%{+YYYY.MM.dd}" }
      }
    } else if [api_path] =~ ^/api2 {
      mutate {
        add_field => { "[@metadata][index_name]" => "api2-logs-%{+YYYY.MM.dd}" }
      }
    } else {
      mutate {
        add_field => { "[@metadata][index_name]" => "other-api-logs-%{+YYYY.MM.dd}" }
      }
    }
}

output {
  if [@metadata][index_name] {
  elasticsearch {
    hosts => ["https://localhost:9200"]
    #index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
    index => "%{[@metadata][index_name]}"
    user => "######"
    password => "########"
	ssl => true
	ssl_certificate_verification => false
	cacert => "xxx\xx\certs\http_ca.crt""
  }
  }
}

grfneto · June 15, 2023, 12:49am

Hi @KRISHNA_KUMAR1

welcome to the community.

Before proceeding with the help, could you inform the version you are using? Have you validated that the conditions are valid through stdout?

To test, you can put in your file:

output {
elasticsearch { hosts => ["localhost:9200"] }
stdout { codec => rubydebug }
}

another attempt is to make the conditional in the output, in this documentation there is an example:

Example: Set up Filebeat modules to work with Kafka and Logstash | Logstash Reference [8.8] | Elastic

system · July 13, 2023, 12:49am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to create multiple index from file beat log input in log-stash config Beats filebeat	9	2988	May 6, 2019
Multiple index creation from single configuration file Logstash	4	364	July 9, 2018
Not able to create indexes using multiple logs files in filebeat tags Beats filebeat	4	616	May 17, 2021
Multiple filebeat input in logstash but how to create different set of index for them Logstash	6	5456	March 6, 2019
Create different Indices for different filebeat folder location Logstash	3	1206	June 18, 2018

How to create multiple separate index using single conf file in logstash through filebeat?

Related topics