Tried multi index in filebeat 7.5.2 but didn't work. Please suggest.
filebeat.inputs:
- type: log
enabled: true
paths:
- /app/logs/ldapsync/dnp_ldap_interface_error.log
processors:
- dissect:
tokenizer: ' %{timestamp} ERROR [%{task}] (%{code}) - %{Text}'
field: "message"
target_prefix: ""
tags: ["ldap_error"]
- type: log
enabled: true
paths:
- /app/logs/ldapsync/dnp_ldap_interface.log
processors:
- dissect:
tokenizer: ' %{timestamp} %{category} [%{task}] (%{code}) - %{Text}'
field: "message"
target_prefix: ""
tags: ["ldap"]
- type: log
enabled: true
paths:
- /app/logs/AuditLog*nat.bt.com.txt
- /app/logs/BusLog*nat.bt.com.txt
- /app/logs/ErrLog*nat.bt.com.txt
exclude_files: ['.gz$']
multiline.pattern: ^[[<L:RECORD>]]
multiline.negate: false
multiline.match: after
processors:
- dissect:
tokenizer: '<L:RECORD><L:EPOCH>%{App_Epoch}</L:EPOCH><L:DATE>%{Date}</L:DATE><L:TIME>%{App_Time}</L:TIME><L:HOST>%{Host}</L:HOST><L:IP>%{Ip}</L:IP><L:SERVER>%{Server}</L:SERVER><L:PORT>%{Port}</L:PORT><L:MESSAGEID>%{Messageid}</L:MESSAGEID><L:CATEGORY>%{Category}</L:CATEGORY><L:SEVERITY>%{Severity}</L:SEVERITY><L:E2EDATA>%{E2E.Data}</L:E2EDATA><L:TEXT>%{Text}</L:TEXT><L:APP_CONTEXT>Client IP: %{ClientIp}</L:APP_CONTEXT><L:API_VER>BPTM Java API v3.3.9.9</L:API_VER><L:LOCATION>%{Location}</L:LOCATION><L:TIER>%{Tier}</L:TIER><L:RECORD_VER>3.1</L:RECORD_VER></L:RECORD>'
field: "message"
target_prefix: ""
tags: ["bptm"]
#----------------------------- Logstash output --------------------------------
output.logstash:
# The Logstash hosts
hosts: ["XXXXXXXX:50495"]
index: "app1234-abc-ldapsyncerror"
when.contains:
tags: ldap_error
index: "app1234-abc-ldapsynctiming"
when.contains:
tags: ldap
index: "app1234-abc-bptm"
when.contains:
tags: bptm
ssl.certificate_authorities: ["/app/Elasticsearch/filebeat-7.5.2/logstash-forwarder.crt"]
#================================ Logging =====================================
logging.level: info