Logstash is not connecting on muliple port for different beats

Nirpendra_Kumar · August 28, 2018, 2:45pm

I have 3 server with beat service installed , passing the logs to logstash on different ports 5044,5045,4046

with different index .but all indexes have the same data .

Nirpendra_Kumar · August 28, 2018, 2:46pm

input {
beats {
port => 5045
}
}
filter
{
xml
{
source => "message"
target => "doc"
}
}
output
{
elasticsearch
{
codec => json
hosts => ["10.100.76.90:9200"]
# index => "aimlogs"
index => "zic_uat-%{+yyyy.MM.dd}"
document_type => "vdf_xml"
}
stdout {}
}
~

Nirpendra_Kumar · August 28, 2018, 2:46pm

Thanks in advance for help

magnusbaeck · August 28, 2018, 6:41pm

I have 3 server with beat service installed , passing the logs to logstash on different ports 5044,5045,4046

What's the point of using different ports?

with different index .but all indexes have the same data .

That's because you're running all configuration files in the same Logstash pipeline. Logstash will concatenate the configuration files so that all filters and outputs apply to all events from all inputs. You can use conditionals to selectively apply filters and outputs. This is an extremely common question here and has been covered many times before.

Nirpendra_Kumar · August 29, 2018, 9:41am

Can you please share any example for source ip rule ?

magnusbaeck · August 29, 2018, 11:28am

The documentation contains many examples of conditionals: https://www.elastic.co/guide/en/logstash/current/event-dependent-configuration.html#conditionals

If you want a specific example you must ask a more specific question than "source ip rule".

Nirpendra_Kumar · August 30, 2018, 4:35pm

Thanks

Can you please share the syntax for nested if ,

input {
beats {
port => 5044
}
}
output {
if "json" in [tags] {
elasticsearch {
hosts => "10.11.19.133:9200"
index => "first_indexer"
}
}else if "new" in [tags] {
elasticsearch {
hosts => "10.11.19.133:9200"
index => "second_indexer"
}
else {
elasticsearch {
hosts => "10.11.19.133:9200"
index => "new"

}
}

}
}

Is this corect ?

magnusbaeck · August 31, 2018, 7:29am

That syntax is okay, but since I don't know what you want to accomplish I can't tell whether it'll do what you expect.

Nirpendra_Kumar · August 31, 2018, 8:10am

Let me explain you here what I want .I have 3 filebeat location and I have specified tags in every filebeat now i want difffrent index for each filebeat using the tags.
Is it possible ?

magnusbaeck · August 31, 2018, 9:04am

I would use a custom field instead of tags but either way works.

Nirpendra_Kumar · August 31, 2018, 9:05am

Thanks a alot for help

any example for custom filed with condition

magnusbaeck · August 31, 2018, 9:34am

The documentation I linked to contains lots of examples of how the compare field values.

system · September 28, 2018, 9:34am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.