Logstash Filtering logs

John_snow · November 5, 2021, 7:22pm

I want to filter logs on base of account_id and send to different output in logstash.

Log1:
{'account_id': '1234567890',
'other data': "Some_data"}

Log2:
{'account_id': '0987654321',
'other data': "Some_data"}

i want send log1 in other output and log2 in other output.
Is there any workaround?

Badger · November 5, 2021, 7:55pm

You can use conditionals in the output section. See here for an example.

John_snow · November 5, 2021, 8:13pm

Nice. Thanks for responding.

Can we automatically put the logs in output account wise. Let's assume we have 1000 account and i want to separate logs in S3 bucket account wise prefix.

s3 {
                bucket => "abc"
                prefix => "abc/{account_id}"
           }

in prefix i'm trying to use account_id as prefix so if we have the prefix it puts the logs into that otherwise it will create new prefix with as account_id

Badger · November 5, 2021, 8:20pm

Yes, the prefix option does support sprintf references, but note the warning in the source about the number of files created.

 prefix => "abc/%{account_id}"

John_snow · November 10, 2021, 5:18pm

Thanks for response.
can we use in operator in if condition like if i wanted to check if a filed matched to some keywords like

if [type] not in ['a', 'b', 'c'] {
                drop {}
        }

Badger · November 10, 2021, 5:46pm

Yes, that will work.

system · December 8, 2021, 5:46pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.