Logstash file input - output to different indices

zaeemmasood · July 28, 2021, 7:44pm

Hello All,

I am running ELK 7.6.2 stack.

In my current set up, a single file gets ingested in logstash and creates an index successfully as below (only relevant part shown):

input {
  file {
    path => "/opt/gtal/ital/elasticsearch/app/logstash/stage/MQA_PRD_STATS-*.txt"

             - - - - - - - - - - - 
             - - - - - - - - - - - 
             - - - - - - - - - - - 
             - - - - - - - - - - - 

output {
      file {
       path => "/opt/gtal/ital/elasticsearch/logs/mqa/rubydebug.txt"
       codec => rubydebug
     }


    elasticsearch {
     hosts => [ "xxxxxxx:43045","xxxxxxxx:43045","xxxxxxxx:43045","xxxxxxxx:43045" ]
     user => "elastic"
     password => "xxxxxxxx"
     index => "demo-csv-%{+YYYY.MM.dd}"
     doc_as_upsert => true
     action => "update"
     document_id => "%{my_fingerprint}"
  }
}

Now I want to ingest 2 files instead of one in the same logstash file and direct the output to two different indices. The resultant logstash config file would looks something like below:

input {
  file {
    path 	=> 	[
			"/opt/gtal/ital/elasticsearch/app/logstash/stage/MQA_PRD_STATS-*.txt",
			"/opt/gtal/ital/elasticsearch/app/logstash/stage/MQA_DR_STATS-*.txt"
		]				

             - - - - - - - - - - - 
             - - - - - - - - - - - 
             - - - - - - - - - - - 
             - - - - - - - - - - -

How do I modify the output part below which should direct output of "MQA_PRD_STATS-.txt" and "MQA_DR_STATS-.txt" separately in two indices?

output {
      file {
       path => "/opt/gtal/ital/elasticsearch/logs/mqa/rubydebug.txt"
       codec => rubydebug
     }

    elasticsearch {
     hosts => [ "xxxxxxx:43045","xxxxxxxx:43045","xxxxxxxx:43045","xxxxxxxx:43045" ]
     user => "elastic"
     password => "xxxxxxxx"
     index => "demo-csv-%{+YYYY.MM.dd}"
     doc_as_upsert => true
     action => "update"
     document_id => "%{my_fingerprint}"
  }
}

Please guide.

Thanks

Cad · July 28, 2021, 9:27pm

Hi,

I think, the easiest way to achive what you want is to create a new field who is gonna take the name of the file you are currently reading and put that file name in the index.

input {
  ...
}
filter {
  grok {
    match => {
        # Take the value between a slash and the extention 
        # and put this value in the field filename
        "path" => "^%{GREEDYDATA}/{DATA:filename}[.]{WORD}$"
        # In grok, greedydata take all the values until the last value that follow it
        # So here, it take all the values until the last /
    }
  }
}
output {
      file {
       path => "/opt/gtal/ital/elasticsearch/logs/mqa/rubydebug.txt"
       codec => rubydebug
     }

    elasticsearch {
     hosts => [ "xxxxxxx:43045","xxxxxxxx:43045","xxxxxxxx:43045","xxxxxxxx:43045" ]
     user => "elastic"
     password => "xxxxxxxx"
     #Adding the filename to the index
     index => "demo-csv-%{[filename]}-%{+YYYY.MM.dd}"
     doc_as_upsert => true
     action => "update"
     document_id => "%{my_fingerprint}"
  }
}

Cad.

zaeemmasood · July 29, 2021, 3:28pm

Thanks. I did some research too which assigns a type to the file. Based on the file type requests go to the relevant index. Would the following work?

input {
  
  
    file {
            type => "PRD"
			path => "/opt/gtal/ital/elasticsearch/app/logstash/stage/MQA_PRD_STATS-*.txt"
			
    }
    file {
            type => "DR"
			path => "/opt/gtal/ital/elasticsearch/app/logstash/stage/MQA_DR_STATS-*.txt"
			
    } 
}

      -- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 

if [type] == "PRD" {
			elasticsearch {
			 hosts => [ "xx-xxx-xxxx:43045","xx-xxx-xxxx:43045","xx-xxx-xxxx:43045","xx-xxx-xxxx:43045","xx-xxx-xxxx:43045" ]
			 user => "xxxxxx"
			 password => "xxxxxxxxxxxxxxxxxxxxxxx"
			 index => "prd-csv-%{+YYYY.MM.dd}"
			 doc_as_upsert => true
			 action => "update"
			 document_id => "%{my_fingerprint}"
  }
    }
    if [type] == "DR" {
			elasticsearch {
			 hosts => ["xx-xxx-xxxx:43045","xx-xxx-xxxx:43045","xx-xxx-xxxx:43045","xx-xxx-xxxx:43045","xx-xxx-xxxx:43045" ]
			 user => "xxxx"
			 password => "xxxxxxxxxxxxxxxxxxxxxxx"
			 index => "dr-csv-%{+YYYY.MM.dd}"
			 doc_as_upsert => true
			 action => "update"
			 document_id => "%{my_fingerprint}"
		}
	}
}

The resultant would be two indices prd-csv-%{+YYYY.MM.dd} and dr-csv-%{+YYYY.MM.dd}

Please guide.

Thanks

grumo35 · July 29, 2021, 3:34pm

if you want to do it before the output something like this would actually work

mutate{
     add_field => {"[@metadata][target_index] => "index-%{[filename]}-%{+YYYY.MM.dd}"}}
}

zaeemmasood · July 29, 2021, 4:02pm

Thanks.

Do I need to replace "filename" above with the name of the file e.g. MQA_PRD_STATS-*.txt and the other one in my case?

Also how would the output part look like?

system · August 26, 2021, 4:03pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Multiple logstash indexes to be created from multiple application log files Logstash	3	695	May 16, 2022
Logstash - multiple indices for one input file Logstash	3	2068	December 21, 2016
How to write to a multiple indexes using single elasticsearch output? Logstash	3	338	May 12, 2020
LOGSTASH Using different input index than the one specified Logstash	4	243	October 10, 2022
"Index" output setting Logstash	2	272	June 5, 2018

Logstash file input - output to different indices

Related topics