How to tweak logstash -> elasticsearch indexing process

ibrahimsharaf · April 24, 2017, 10:28am

Hello, my logstash configurations create a separate index for each log file, I want to add them all together in a single elasticsearch index, how can I do this?

Here's how my logstash.conf looks like:

input {
tcp {
    port => 5000
    codec => multiline {
        pattern => "^%{TIMESTAMP_ISO8601} "
        negate => true
        what => previous
    }
    }
}

filter {
	## Finished merchants

## Stock status (in, out)
grok{
		match => [ "message", "'in_stock_items_count': %{NUMBER:instock_items:int}" ]
}
grok{
		match => [ "message", "'out_stock_items_count': %{NUMBER:outofstock_items:int}" ]
}

## Scraped items, invalid items
grok{
		match => [ "message", "'item_scraped_count': %{NUMBER:scraped_items:int}" ]
}
grok{
		match => [ "message", "'invalid_items_count': %{NUMBER:invalid_items:int}" ]
}

## Zero Priced
grok{
		match => [ "message", "'zero_price_items_count': %{NUMBER:zero_priced_items:int}" ]
}

## Item Duration
grok{
		match => [ "message", "'iteration_duration': %{NUMBER:iteration_duration:float}" ]
}

## timestamp
grok{
		match => [ "message", "%{DATE_EU:timestamp}" ]
}
date{
	    match => [ "timestamp", "yy-MM-dd" ]
	    target => "@timestamp"
	}
}

output {
   	if "_grokparsefailure" not in [tags]{
	
		elasticsearch {
			hosts => "elasticsearch:9200"
		}
	    }
    }

warkolm · April 24, 2017, 10:40am

Based on that config it should do that.
Are you seeing something else?

ibrahimsharaf · April 24, 2017, 10:49am

I added three log files named (01012017.log, 02012017.log, 03012017.log) and I ran
curl http://localhost:9200/_aliases?pretty=1
the output was

{
  "logstash-2017.01.03" : {
    "aliases" : { }
  },
  ".kibana" : {
    "aliases" : { }
  },
  "logstash-2017.01.01" : {
    "aliases" : { }
  },
  "logstash-2017.01.02" : {
    "aliases" : { }
  }
}

3 different indices, right?

magnusbaeck · April 24, 2017, 10:52am

Yes, one per day. In your case you happen to have one logfile per day, giving you the impression that it's one index per logfile.

Change the elasticsearch output's index option. If you inspect its default value you'll understand why you're getting one index per day and changing it to e.g. one index per month should be obvious. Make sure you understand why time-based indexes are pretty convenient before changing to one index for all events.

system · May 22, 2017, 10:55am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Multiple output in logstash config, pls help! Logstash	7	4096	December 20, 2016
How to create multiple indexs with multiple input in logstash Logstash	8	2901	March 19, 2021
Advice needed to index multiple files from logstash to elastic search Logstash	6	407	July 6, 2017
Logstash 7.1 indexing to elasticsearch problem Logstash	2	453	June 25, 2019
How to change log files indexing between Logstash and Elasticsearch Logstash	4	698	May 19, 2017

How to tweak logstash -> elasticsearch indexing process

Related topics