Logstash loops

dinesh1 · 2018-11-29 12:01:18 UTC

Hi,
how to use loops for output in logstash.

output {

                    if [my_index] == "order"{
            elasticsearch {
                    hosts => [  "172.160.0.234" ]
                    index => "order-%{+YYYY.MM.dd}"
            }
    }
                    if [my_index] == "merchant"{
            elasticsearch {
                    hosts => [  "172.160.0.234}" ]
                    index => "merchant-%{+YYYY.MM.dd}"
            }
    }
	
	                        if [my_index] == "service"{
            elasticsearch {
                    hosts => [  "172.160.0.234" ]
                    index => "service-%{+YYYY.MM.dd}"
            }
    }
                    if [my_index] == "reorder"{
            elasticsearch {
                    hosts => [  "172.160.0.234}" ]
                    index => "reorder-%{+YYYY.MM.dd}"
            }
    }
            else {
                    elasticsearch {
                    hosts => [  "172.160.0.234}" ]
                    index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
                            }
    }



 stdout { codec => rubydebug }

}

Christian_Dahlqvist · 2018-11-29 12:03:17 UTC

Why would you need loops? What is the problem you are trying to solve?

dinesh1 · 2018-11-29 12:11:13 UTC

I had 12 docker containers, I need to create seperate indices for each container.

Christian_Dahlqvist · 2018-11-29 12:11:46 UTC

Why?

dinesh1 · 2018-11-29 12:15:23 UTC

To reduce indices size, usually it is morethan 100gb perday

Christian_Dahlqvist · 2018-11-29 12:47:10 UTC

You do not necessarily need multiple outputs (which can be inefficient) and can do something like this:

filter {
  if [my_index] == "order"{
    mutate { add_field => { "[@metadata][prefix]" => "order" } }
  } else if [my_index] == "merchant" {
    mutate { add_field => { "[@metadata][prefix]" => "merchant" } }
    ...
  } else  {
    mutate { add_field => { "[@metadata][prefix]" => "%{[@metadata][beat]}" } }
  }
}

output {
  elasticsearch {
    index => "%{[@metadata][prefix]}-%{+YYYY.MM.dd}"
  }
}

dinesh1 · 2018-11-30 08:49:44 UTC

Thanks for your help
I had one more query in above filter, using if condition is ok for 2 0r 3 items(like order , merchant).
But if i have 8 items then how to do...?

Christian_Dahlqvist · 2018-11-30 09:08:19 UTC

Either expand it (I cut it short to save space) or perhaps try using the translate plugin to set the field.

dinesh1 · 2018-12-12 11:29:19 UTC

actually my requirement is to get logs based on condition if condition fails it should be in else part, but in my case last indices that is filebeat-yyyy-xx-xx contains all logs...

filter {
if [my_index] == "order"{
mutate { add_field => { "[@metadata][prefix]" => "order" } }
} else if [my_index] == "merchant" {
mutate { add_field => { "[@metadata][prefix]" => "merchant" } }
...
} else {
mutate { add_field => { "[@metadata][prefix]" => "%{[@metadata][beat]}" } }
}
}

output {
elasticsearch {
index => "%{[@metadata][prefix]}-%{+YYYY.MM.dd}"
}
}

Christian_Dahlqvist · 2018-12-12 11:45:08 UTC

Check what your data looks like and why the conditions in that case appear to be failing.

dinesh1 · 2018-12-12 11:57:18 UTC

How can i get @metadata field in kibana

Christian_Dahlqvist · 2018-12-12 12:04:16 UTC

You can not, but you can look at the fields used in the conditionals populating it , e.g. the my_index field in the example above. If this does not exist or is at the wrong level, everything will go to the else clause. If you can show an event that has ended up in the wrong index, we might be able to help.

dinesh1 · 2018-12-13 05:47:17 UTC

condition is working fine, may be there will be two @metadata I guess in each log.

Christian_Dahlqvist · 2018-12-13 06:21:29 UTC

I do not understand. Can you please show your config and an example of a document that goes to the incorrect index?