Using 5.6.2 stack
Hi, I have the following pipeline and it works well... But I would like to index a specific "application" to 2 indexes. Based on the field "executor" split below.
input {
beats {
port => "5043"
}
}
filter {
if [source_type] == "framework" {
grok {
patterns_dir => "/usr/share/logstash/patterns/"
match => { "source" => "%{TASKPATH}" }
}
mutate {
gsub => [
"executor", "(__)", "."
]
}
mutate {
split => { "executor" => "." }
}
}
}
output {
if [source_type] == "framework" {
elasticsearch {
index => "%{executor[0]}-%{+YYYY.MM.dd}"
}
#DO NOT uncomment if running inside container it will cause infinit loop
#stdout { codec => rubydebug }
} else if [source_type] == "dcos" {
elasticsearch {
index => "dcos-%{+YYYY.MM.dd}"
}
}
}
I tried this but it failed to load... Also I would like to do some extra filtering parsing based executor[0]
input {
beats {
port => "5043"
}
}
filter {
if [source_type] == "framework" {
grok {
patterns_dir => "/usr/share/logstash/patterns/"
match => { "source" => "%{TASKPATH}" }
}
mutate {
gsub => [
"executor", "(__)", "."
]
}
mutate {
split => { "executor" => "." }
}
if [executor[0]] == "foo-bar" {
DO EXTRA PARSING HERE??? URL decode and keyvalue parse.
}
}
}
output {
if [source_type] == "framework" {
... generic output here...
}
else if [source_type] == "framework" and [executor[0]] == "foo-bar"{
elasticsearch {
index => "foo-bar-second-%{+YYYY.MM.dd}"
}
}
else if [source_type] == "dcos" {
... dcos stuff here...
}
}