Logstash for multi output

truongdqse03303 · August 29, 2017, 8:12am

Hi experts.
I have this logstash input

input {
  beats {
    type => "beat"
    port => 5044
    ssl => false
    #ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
    #ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
  }
  redis {
    host => "*********"
    data_type => "list"
    key => "filebeat"
    type => "app2"
  }
  redis {
    host => "*********"
    data_type => "list"
    key => "app1"
    type => "app1"
  }
}

and the output:

output  {
  if [type] == "beat" {
    elasticsearch {
      hosts => ["*********:9200"]
      sniffing => true
      manage_template => false
      index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
      document_type => "%{[@metadata][type]}"
    }
  }
  else {
    elasticsearch {
      hosts => ["*********:9200"]
      sniffing => true
      manage_template => false
      }
  }
}

My purpose is beats come to it own index and the other input come to logstash-* index but when i use the [type], it's not working so i ask is beats have any special condition that i can use to solve my problems?
Thanks

warkolm · August 29, 2017, 8:19am

What does that mean exactly?

truongdqse03303 · August 29, 2017, 8:24am

I mean with all the beat input like metricbeat, heartbeat, ... it's go to

elasticsearch {
      hosts => ["*********:9200"]
      sniffing => true
      manage_template => false
      index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
      document_type => "%{[@metadata][type]}"
    }

and with other input not beats go to

elasticsearch {
      hosts => ["*********:9200"]
      sniffing => true
      manage_template => false
      }

which is logtstash-* as default index

warkolm · August 29, 2017, 8:46am

Yes, but what's not working?

truongdqse03303 · August 29, 2017, 8:49am

Hi @warkolm
The condition if [type] == "beat" is not working, it's cannot cover all the beat, i have check the type of beat output in kibana, even i add the [type] in the beat input but the beat output not have that [type]

beats {
type => "beat"

so if i use the condition like my output i just poseted, all come to logstash-* index

truongdqse03303 · August 30, 2017, 4:46am

Hi @warkolm
can you help me with this or i should use 2 logstash, 1 for log and 1 for beat ?

system · September 27, 2017, 4:46am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.