Hi
We are using Logstash to send application logs to respective index in ElasticSearch.
We have 2 applications which are sending logs to Logstash from filebeat. Each filebeat configuration for application has a respective document_type associated.
We filter for that document type to send logs to particular index. Somehow I find that any message sent by application 2 ( app2) are being sent to index of both app1 and app2
Here is my logstash configuration :
input {
beats {
host => "172.17.80.50"
port => "5044"
client_inactivity_timeout => "600"
ssl => false
}
}
output {
if [type] == "app1_app_log" or "app1_web_log" {
elasticsearch {
hosts => "localhost:9200"
manage_template => false
index => "index1-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}
}
output {
if [type] == "app2_app_log" or "app2_web_log" {
elasticsearch {
hosts => "localhost:9200"
manage_template => false
index => "index2-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}
}
I am wondering how come logs with app2_app_log and app2_web_log are being sent to both index1 and index2 ? Am I missing something here? I Any help will be appreciated.
I have also tried to use if and else if based statement, but even with that logs are being sent to both the index which is configured in the above configuration.