Logstash output: If field exists, use other index

johann · July 27, 2018, 2:51pm

Hi all,

I want to use an other index, if a specific field exists...

My output-config looks like this:

output {
  if [kubernetes.namespace] {
    elasticsearch {
            hosts => "my-elastic.local:9200"
            index => "kubernetes-%{+YYYY.MM.dd}"
    }
  } else {
    elasticsearch {
            hosts => "my-elastic.local:9200"
            index => "logstash-%{+YYYY.MM.dd}"
    }
  }
}

Any ideas, why this is not working? Unfortunately it's using the "else" output (= index => "logstash-%{+YYYY.MM.dd}")

Strangely enough, I see that field "kubernetes.namespace" in Kibana...

Logstash version: 6.3.0

Thanks!

Badger · July 27, 2018, 2:56pm

That should probably be

if [kubernetes][namespace] {

johann · July 27, 2018, 3:03pm

that easy... thank you, problem solved!

system · August 24, 2018, 3:03pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.