I need to have multiple index based on the path of log file

akhilkandari · September 8, 2021, 1:23pm

we have 2 environment one dev & one prod storing logs in dev path & prod path so how can i have 2 separate index for both of these based on path

input {
    stdin{
        type => "stdin-type"
		}
    file{
        type => "json"
        path => [ "/var/files/prod/*.log","/var/files/prod/**/*.log" ]
        start_position => "beginning"
		tags => "prod"
		} file{
        type => "json"
        path => [ "/var/files/dev/*.log","/var/files/dev/**/*.log" ]
        start_position => "beginning"
		tags => "dev"
		}	}
filter {
    grok {
        match => {
            "message" => [ "%{JSON:payload_raw}" ]
        }
        pattern_definitions => {
            "JSON" => "{.*$"
        }    }
    json {
        source => "payload_raw"
        target => "payload"
    }    mutate {
        remove_field => [ "payload_raw","message" ]
    }   date {
                match => [ "[payload][datetime]", "yyyy-MM-dd HH:mm:ss,SSS" ]
                target => "@timestamp"
        }}
output {
    stdout {
        codec => rubydebug    }
	if tags == "prod"
	{    elasticsearch {
        hosts  => "localhost:9200"
		index => "prod-logs"    }	}
	if tags == "dev"
	{
    elasticsearch {
        hosts  => "localhost:9200"
		index => "dev-logs"  }	}}

leandrojmp · September 8, 2021, 1:26pm

Hello,

Can you explain what you are trying to do and what is not working? You just pasted your configuration without any explanation what is the issue.

akhilkandari · September 9, 2021, 4:52am

hi
i have define 2 path to store logs one for dev & other for prod,
i want to have 2 separate index for dev & prod.
this is my conf file but logs are not parse with this
how can i achieve this

system · October 7, 2021, 4:53am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.