Keep raw syslog event untampered

jaykumar · August 15, 2016, 6:10pm

Hi There,

I have Logstash config with few groks to rename fields, make values human readable, geoip, and few more stuffs. I would like to make two outputs:

Raw compressed file with untampered, this means it must not include any of the filters
Elasticsearch output after applying all filters

Can anyone please help me here?

Regards,

Ajay

magnusbaeck · August 15, 2016, 8:19pm

Use a clone filter to split each event in two. Use conditionals to apply your filters to one of the events and similarly to send them to different inputs.

jaykumar · August 16, 2016, 6:09am

Yes this should meet the requirement. Thank you.

jaykumar · August 16, 2016, 6:39am

Just now tested. This works as expected.
Once again thank you for this quick help.

Topic		Replies	Views
Filtered and unfiltered outputs Logstash	3	421	August 15, 2018
Sending an unfiltered copy Logstash	15	1888	June 4, 2018
Two outputs with different data Logstash	4	531	May 20, 2018
Can I filter the Output data separately?! Logstash	9	10876	August 31, 2018
Splitting an event into multiple documents Logstash	5	4022	January 31, 2018

Keep raw syslog event untampered

Related Topics