I want to filter logs on base of account_id and send to different output in logstash.
Log1:
{'account_id': '1234567890',
'other data': "Some_data"}
Log2:
{'account_id': '0987654321',
'other data': "Some_data"}
i want send log1 in other output and log2 in other output.
Is there any workaround?
You can use conditionals in the output section. See here for an example.
Nice. Thanks for responding.
Can we automatically put the logs in output account wise. Let's assume we have 1000 account and i want to separate logs in S3 bucket account wise prefix.
s3 {
bucket => "abc"
prefix => "abc/{account_id}"
}
in prefix i'm trying to use account_id as prefix so if we have the prefix it puts the logs into that otherwise it will create new prefix with as account_id
Yes, the prefix option does support sprintf references, but note the warning in the source about the number of files created.
prefix => "abc/%{account_id}"Thanks for response.
can we use in operator in if condition like if i wanted to check if a filed matched to some keywords like
if [type] not in ['a', 'b', 'c'] {
drop {}
}
Yes, that will work.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.