Hi all...
I use ELK 6.2.3.
In logstash conf.d directory I have prepared two different configuration files for two different firewall with geo localization with a custom fields: "fw_SourceGEO" and "fw_DestinationGEO".
I use two different index "fw_customerA-" and "fw_customerB-" for respecitve device. I have prepare two different template for set the type "geo_point" to custom fields.
customerA.conf
output
{
if [type] == "fw_deviceA"
{
elasticsearch
{
hosts => "localhost:9200"
index => "fw_customerA-%{+YYYY.MM.dd}"
template => "/usr/share/elasticsearch/template/geoLocalization-customerA.json"
template_overwrite => "true"
}
}
}
customeB.conf
output
{
if [type] == "fw_deviceB"
{
elasticsearch
{
hosts => "localhost:9200"
index => "fw_customerB-%{+YYYY.MM.dd}"
template => "/usr/share/elasticsearch/template/geoLocalization-customerB.json"
template_overwrite => "true"
}
}
}
The problem concern that only for customerB is present the
"location": {
"type": "geo_point"
for customer A nothing!
From Kibana the GET _template command said:
"logstash": {
"order": 1,
"index_patterns": [
"fw_customerA*"
],
....
I have try to rename the logstash config file (customerA.conf-->customerB.conf) and viceversa and the template works now for "fw_customerB" only.
I'd like to know how to load the different template for different index...if is possibile.....
Thanking in advance.
Giuliano