Hi All,

Is it possible to send to two ELK cluster by the following format:

output {
elasticsearch {
hosts=> ["node1","node2","node3"]
}
elasticsearch {
hosts=> ["server1","server2","server3"]
}

}

Thank you alot!

Yes

so i added the following output:
output {

elasticsearch {
hosts => [ "esh-prod-elasticsearch-01.eqx.com:9200" , "esh-prod-elasticsearch-02.eqx.com:9200" , "esh-prod-elasticsearch-03.eqx.com:9200" , "esh-prod-elasticsearch-04.eqx.com:9200" , "esh-prod-elasticsearch-05.eqx.com:9200" ]
manage_template => false
index => "%{se_deployment}-%{se_site}-%{ix_profile}-%{+YYYY.MM.dd}"
user => logstash_inter
password => logstash_inter
}

elasticsearch {
hosts => [ "esh-sd-elasticsearch01:9200" , "esh-sd-elasticsearch02:9200" , "esh-sd-elasticsearch03:9200" ]
manage_template => false
index => "%{se_deployment}-%{se_site}-%{se_profile}-%{+YYYY.MM.dd}"
}

Debugging to file

file { codec => rubydebug
path => "/var/log/logstash/logstash-debug.log" }
}

but i see the logs only in the second output and not the first one although the debugging show everything is correct .

If there would be a problem with one of the outputs Logstash would shutdown to prevent data loss. This happened to me a few times so that is something to keep in mind.

The index name is different in the two outputs. Is that on purpose? The first one has %{ix_profile} and the second one has %{se_profile}.

First , thanks for quick respond!
you are right i change it now and i hope it will be fixed they both should be %{se_profile}!
it fixed that!!
tnx alot<3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.