I have five servers who generate 5 other jsons with two recognize field type (example value server1) and source (example value server_name).
My question is whether I can send data of five server on one input port and recognize based on type and source fields inputs and create 5 indexes in elasticsearch?
Hello @hoff,
Yes you can send and can apply filet with the loop of if else if .
I was doing the same day before
Regards
Shrikant
I have configuration like that :
tcp {
port => 5044
codec => json
}
}
filter {
if ([fields][servername] == "first") {
mutate {
replace => {
"[type]" => "first"
}
}
}
else if ([fields][servername] == "second") {
mutate {
replace => {
"[type]" => "second"
}
}
}
}
output {
elasticsearch {
hosts => "x.x.x:x"
manage_template => false
index => "%{type}-%{+YYYY.MM.dd}"
}
}
This is example configuration with two servers for tests. Below you may see the name of the returned index.
Hello @hoff
this is my logstash config file
input {
beats {
port => 5044
}
}
filter {
if [service_id] == "pDNcb2gBY7Thni_1PwRv" {
json {
source => "message"
}
date {
match => [ "received", "yyyy-MM-dd HH:mm:ss" ]
target => "@timestamp"
}
}
else {
csv {
separator => ","
columns => ["request","Gender","Name","ID"]
}
date {
match => [ "received", "yyyy-MM-dd HH:mm:ss" ]
target => "@timestamp"
}
}
}
output{
if [service_id] == "pDNcb2gBY7Thni_1PwRv" {
elasticsearch {
hosts => "localhost:9200"
index => "index_name"
}
stdout{}
}
else {
elasticsearch {
hosts => "localhost:9200"
index => "index_name"
}
stdout{}
}
}
Thank you for replies shrikantgulia.
I solved my problem.
I transformed the nested fields in the filter using a mutate and rename and the next I placed renamed field in output.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.