Multiple logs to different index - Filebeat

Charakterny · November 19, 2020, 2:38pm

Hello,
I have in one filebeat.yml two paths for two different logs and it works fine but I need to divide to two index.
I tried as below:

filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /var/log/nginx/*.log
  fields:
    type: "nginx"

- type: log
  enabled: true
  paths:
    - /var/log/app/*.log
  fields:
    type: "app"

Elasticsearch template setting:
setup.template.settings:
  index.number_of_shards: 4
setup.template.name: "nginx"
setup.template.pattern: "nginx-*"
setup.template.name: "app"
setup.template.pattern: "app-*"
setup.ilm.enabled: false

and in Elasticsearch output:
index: "nginx-%{+yyyy.MM.dd}-%{[fields.type]:nginx}"
index: "nginx-%{+yyyy.MM.dd}-%{[fields.type]:app}"

But is something wrong.
In Elastic I can create nginx index, can't create app index and still logs are from two paths.
I would be grateful for your advice.

warkolm · November 20, 2020, 12:47am

Take a look at the example conditional output here for how to do what you want - Filebeat conditional output logstash

Also, please format your code/logs/config using the </> button, or markdown style back ticks. It helps to make things easy to read which helps us help you

Charakterny · November 20, 2020, 9:09am

Thanks, but still I don't know how to implement in my config. This example is quite different that my case. I need to have in gui two spaces with different logs from one filebeat.

system · December 18, 2020, 9:09am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.