"Index" output setting

ElevenB2003 · May 7, 2018, 8:51pm

Hello,

I have multiple configuration files for logstash and each has their own input, filter, and output. However, I'm experiencing something strange: all data is flowing into all indexes even though I'm using the "index" output setting and specifying the data should be sent to its respective index.

Is this expected or am I missing something?

Example:
Output code from file 1:

output {
elasticsearch {
hosts => "localhost:9200"
user => "elastic"
password => "mypassword"
index => "index1-%{+YYYY.MM.dd}"
}
}

Output code from file 2:

output {
elasticsearch {
hosts => "localhost:9200"
user => "elastic"
password => "mypassword"
index => "index2-%{+YYYY.MM.dd}"
}
}

All data is appearing in both indexes...

Thanks!

magnusbaeck · May 8, 2018, 6:04am

Logstash concatenates these files. All events from all inputs will go to all outputs unless you use conditionals. You can also consider the multi-pipeline feature in Logstash 6.

system · June 5, 2018, 6:04am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.