There are three sources named Source1, Source2, Source3 each has their own file directory for the data files, where logstash reads the data from. I have all of their log data, lets call them syslog.txt. Currently if I place these three folders in the directory where logstash reads the input data, they are placed into elasticsearch with no way of differentiating if one syslog.txt log came from Source1, Source2 or Source3.
So the name of the directory can be used to determine the name of the source? Then have a look at the path field that Logstash populates with the full path to the file the event came from.
Also, the sources will not always be named the same thing. This example was Source1, Source2 and Source3 but the next time they could be S1, S2 and S3 or Sun, Cloud, Stars. So it is not as simple as changing the 'type' they are read in as I don't think.
Okay. So how would a human know that e.g. Source1 and S1 are actually the same thing? Once we've established that we can move on to how to make Logstash do the same thing.