I have set up an ELK stack. For the logstash instance, it has two output including Kafka and elasticsearch.
For the output of elasticsearch, I want to keep the field @timestamp. For the output of Kafka, I want to remove the field @timestamp. So I cannot just remove field @timestamp in the filter. I just want it removed for the Kafka output.
I have not found this kind of solution.
Use pipeline-to-pipeline communication with a forked path pattern.
It seems that pipeline is enough. Just seperate the config of different outputs.
Try to set the pipelines.yml
- pipeline.id: stdout
queue.type: persisted
config.string: |
input {
beats {
port => 5044
}
}
output {
stdout{}
}
- pipeline.id: kafka
queue.type: persisted
config.string: |
input {
beats {
port => 5044
}
}
output {
kafka {
codec => json
topic_id => "zeek-http"
}
}
Start the logstash: ./bin/logstash --path.settings /Users/dongbing/tool/ELK/logstash-7.4.0/config -t. But it always indicates:
[2020-03-19T13:04:17,589][DEBUG][logstash.config.source.multilocal] Reading pipeline configurations from YAML {:location=>"/Users/dongbing/tool/ELK/logstash-7.4.0/config/pipelines.yml"}
ERROR: Failed to read pipelines yaml file. Location: /Users/dongbing/tool/ELK/logstash-7.4.0/config/pipelines.ym\
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.