How to index 2 indexes using conditions?

Elastic Stack Logstash
1

Using 5.6.2 stack

Hi, I have the following pipeline and it works well... But I would like to index a specific "application" to 2 indexes. Based on the field "executor" split below.

input {
  beats {
    port => "5043"
  }
}

filter {
  if [source_type] == "framework" {
    grok {
        patterns_dir => "/usr/share/logstash/patterns/"
        match => { "source" => "%{TASKPATH}" }
    }

    mutate {
      gsub => [
        "executor", "(__)", "."
      ]
    }

    mutate {
      split => { "executor" => "." }
    }
  }
}

output {

  if [source_type] == "framework" {
    elasticsearch {
      index => "%{executor[0]}-%{+YYYY.MM.dd}"
    }

    #DO NOT uncomment if running inside container it will cause infinit loop
    #stdout { codec => rubydebug }

  } else if [source_type] == "dcos" {
    elasticsearch {
      index => "dcos-%{+YYYY.MM.dd}"
    }
  }
}

I tried this but it failed to load... Also I would like to do some extra filtering parsing based executor[0]

input {
  beats {
    port => "5043"
  }
}

filter {
  if [source_type] == "framework" {
    grok {
        patterns_dir => "/usr/share/logstash/patterns/"
        match => { "source" => "%{TASKPATH}" }
    }

    mutate {
      gsub => [
        "executor", "(__)", "."
      ]
    }

    mutate {
      split => { "executor" => "." }
    }

    if [executor[0]] == "foo-bar" {
    DO EXTRA PARSING HERE??? URL decode and keyvalue parse.
    } 
  }
}

output {
  if [source_type] == "framework" {
  ... generic output here...
  } 
  else if [source_type] == "framework" and [executor[0]] == "foo-bar"{
    elasticsearch {
      index => "foo-bar-second-%{+YYYY.MM.dd}"
    }
  }

  else if [source_type] == "dcos" {
  ... dcos stuff here...
  }
}
2

ok I got it... I need to do...

else if [source_type] == "framework" and [executor][0] == "foo-bar"

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.