Logstash output: If field exists, use other index

johann · July 27, 2018, 2:51pm

Hi all,

I want to use an other index, if a specific field exists...

My output-config looks like this:

output {
  if [kubernetes.namespace] {
    elasticsearch {
            hosts => "my-elastic.local:9200"
            index => "kubernetes-%{+YYYY.MM.dd}"
    }
  } else {
    elasticsearch {
            hosts => "my-elastic.local:9200"
            index => "logstash-%{+YYYY.MM.dd}"
    }
  }
}

Any ideas, why this is not working? Unfortunately it's using the "else" output (= index => "logstash-%{+YYYY.MM.dd}")

Strangely enough, I see that field "kubernetes.namespace" in Kibana...

Logstash version: 6.3.0

Thanks!

Badger · July 27, 2018, 2:56pm

That should probably be

if [kubernetes][namespace] {

johann · July 27, 2018, 3:03pm

that easy... thank you, problem solved!

system · August 24, 2018, 3:03pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Clarification on if/else behavior in output Logstash	3	379	October 21, 2019
Output IF ELSE configuration error Logstash	8	35827	July 6, 2017
Logstash on kubernetes. Multiple output conditions Logstash	5	703	November 22, 2019
Does multiple indices in output work? Logstash	1	946	July 6, 2017
Output with condition Logstash	5	1671	December 3, 2019

Logstash output: If field exists, use other index

Related topics