Multiple index in elasticsearch from filebeat

Roque_Moyano · July 6, 2017, 6:10pm

Hi , I want to create a two outputs filters in logstash , that depends on the "type" field sent from filebeat:

     filebeat:
       prospectors:
        -
          paths:
                  - /var/log/app.log
               
          input_type: log
          document_type: app
        
        paths:
                  - /var/log/stuff.log
               
          input_type: log
          document_type: stuff

I have in logstash two filterss:

filterapp.conf

  filter {
    if[type] == "app" {
    
    .......         
}

filterfoo.conf

  filter {
    if[type] == "stuff " {
    
    .......         
}

output.conf

output {
  elasticsearch {
    hosts => ["localhost:9200"]
    sniffing => true
    manage_template => false
    index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
    document_type => "%{[@metadata][type]}"
  }
}

I would like to create 2 outputs with 2 indexes

app-*
stuff-*

How Can I tell to output {} to send the logs to app index or stuff index?

Roque_Moyano · July 6, 2017, 7:21pm

I dont know if this is the correct way , but it seems to be working:

output {

if [type] == "git" {

elasticsearch {
hosts => ["localhost:9200"]
sniffing => true
manage_template => false
index => "stash-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}

else
{

elasticsearch {
hosts => ["localhost:9200"]
sniffing => true
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}

warkolm · July 6, 2017, 10:32pm

That is the best way

steffens · July 7, 2017, 2:26pm

yeah, seems to work.

You can use the mutate filter to overwrite @metadata.type with another value in the filter section. Like:

filter {
  if [type] == "git" {
    mutate ...
  }
}

elasticsearch {
  hosts => ["localhost:9200"]
  sniffing => true
  manage_template => false
  index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
  document_type => "%{[@metadata][type]}"
  }
}

Using @metadata in logstash is for 'private' use in your script. You can set/remove any fields at will. Logstash will remove @metadata when serializing the event to JSON.

Instead of overwriting '@metadata.beat', you can also create @metadata.index in the filter and use index => "{[@metadata][index]}".

Topic		Replies	Views
Output logs to multiple index from logstash Logstash	7	5853	December 20, 2019
Logstash sending same message to multiple indexes in ES Logstash	2	2937	August 9, 2017
Create multiple indexes Elasticsearch	4	410	December 13, 2023
Create Multiple Indexes from filebeat Logstash	3	1604	September 30, 2021
Filebeat => logstash index Logstash	3	1271	May 2, 2017

Multiple index in elasticsearch from filebeat

Related topics