Logstash loops

dinesh1 · November 29, 2018, 12:01pm

Hi,
how to use loops for output in logstash.

output {

                    if [my_index] == "order"{
            elasticsearch {
                    hosts => [  "172.160.0.234" ]
                    index => "order-%{+YYYY.MM.dd}"
            }
    }
                    if [my_index] == "merchant"{
            elasticsearch {
                    hosts => [  "172.160.0.234}" ]
                    index => "merchant-%{+YYYY.MM.dd}"
            }
    }
	
	                        if [my_index] == "service"{
            elasticsearch {
                    hosts => [  "172.160.0.234" ]
                    index => "service-%{+YYYY.MM.dd}"
            }
    }
                    if [my_index] == "reorder"{
            elasticsearch {
                    hosts => [  "172.160.0.234}" ]
                    index => "reorder-%{+YYYY.MM.dd}"
            }
    }
            else {
                    elasticsearch {
                    hosts => [  "172.160.0.234}" ]
                    index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
                            }
    }



 stdout { codec => rubydebug }

}

Christian_Dahlqvist · November 29, 2018, 12:03pm

Why would you need loops? What is the problem you are trying to solve?

dinesh1 · November 29, 2018, 12:11pm

I had 12 docker containers, I need to create seperate indices for each container.

Christian_Dahlqvist · November 29, 2018, 12:11pm

Why?

dinesh1 · November 29, 2018, 12:15pm

To reduce indices size, usually it is morethan 100gb perday

Christian_Dahlqvist · November 29, 2018, 12:47pm

You do not necessarily need multiple outputs (which can be inefficient) and can do something like this:

filter {
  if [my_index] == "order"{
    mutate { add_field => { "[@metadata][prefix]" => "order" } }
  } else if [my_index] == "merchant" {
    mutate { add_field => { "[@metadata][prefix]" => "merchant" } }
    ...
  } else  {
    mutate { add_field => { "[@metadata][prefix]" => "%{[@metadata][beat]}" } }
  }
}

output {
  elasticsearch {
    index => "%{[@metadata][prefix]}-%{+YYYY.MM.dd}"
  }
}

dinesh1 · November 30, 2018, 8:49am

Thanks for your help
I had one more query in above filter, using if condition is ok for 2 0r 3 items(like order , merchant).
But if i have 8 items then how to do...?

Christian_Dahlqvist · November 30, 2018, 9:08am

Either expand it (I cut it short to save space) or perhaps try using the translate plugin to set the field.

dinesh1 · December 12, 2018, 11:29am

actually my requirement is to get logs based on condition if condition fails it should be in else part, but in my case last indices that is filebeat-yyyy-xx-xx contains all logs...

filter {
if [my_index] == "order"{
mutate { add_field => { "[@metadata][prefix]" => "order" } }
} else if [my_index] == "merchant" {
mutate { add_field => { "[@metadata][prefix]" => "merchant" } }
...
} else {
mutate { add_field => { "[@metadata][prefix]" => "%{[@metadata][beat]}" } }
}
}

output {
elasticsearch {
index => "%{[@metadata][prefix]}-%{+YYYY.MM.dd}"
}
}

Christian_Dahlqvist · December 12, 2018, 11:45am

Check what your data looks like and why the conditions in that case appear to be failing.

dinesh1 · December 12, 2018, 11:57am

How can i get @metadata field in kibana

Christian_Dahlqvist · December 12, 2018, 12:04pm

You can not, but you can look at the fields used in the conditionals populating it , e.g. the my_index field in the example above. If this does not exist or is at the wrong level, everything will go to the else clause. If you can show an event that has ended up in the wrong index, we might be able to help.

dinesh1 · December 13, 2018, 5:47am

condition is working fine, may be there will be two @metadata I guess in each log.

Christian_Dahlqvist · December 13, 2018, 6:21am

I do not understand. Can you please show your config and an example of a document that goes to the incorrect index?

system · January 10, 2019, 6:21am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.