I am trying to route certain logs to index 1 and other logs to index 2. I know that this not the best practice but this will solve us many problems.
One log looks like:
/opt/mod/a.log
The other looks like:
/opt/mod/b.log
in log type a.log I have a term called: "apiMedTimeSent", There for after looking at the link that I attached at the bottom I tried to do the following configuration:
output {
if "apiMedTimeSent" in (What to put here) [
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
]
}
}
But as you see I don't know how to continue this. Also is there a better way to do this?
I am not sure if you can do it (what to put there) in the output section.
Having said that, you can write a small ruby code fetch file "path" value in filter section. Then set the type of log based on the path value.
filter {
ruby {
" if event.get(path) is equal to '/opt/mod/a.log' // pseudocode
event.set('type', 'a')
else
event.set('type', 'a')"
}
}
Now you can check the type in the output section -
if [type] == "a" {
elasticsearch {
}
}
else
{
elasticsearch {
}
}
in log type a.log I have a term called: "apiMedTimeSent"
What does this mean, exactly? That the string "apiMedTimeSent" occurs in the log message? If so:
if "apiMedTimeSent" in [message] {
How do these logs end up in Logstash? A file input in Logstash? Filebeat? Would it be possible to classify them at the source? In other words, would it be an option to configure the input so that it'll tag the messages in a way so that later stages in the pipeline knows what to do about them?
Hi they come in by filebeat, but I dont know how to tag multiple file in the filebeat. Also if I tag them how can I send the different tagged files to different indexs?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.