Hi everybody!!!
I have my output in config file:
elasticsearch {
host => "myServer.com"
port => 9200
index => "events”
protocol => "http"
}
and I want to direct all logs with message "Logged in" and "Logged out" in "events_logs" type document, and all the remaining documents in "rest_logs".
In the result I want 2 different types in my index:
/myServer.com/events/events_logs
/myServer.com/events/rest_logs
How can I do this?
THX to all!!!
Use a mutate filter to change the type field for the messages that should have a different type.
filter {
if [message] =~ /Logged (in|out)/ {
mutate {
replace => ["type", "events_logs"]
}
}
}