Multiple pipelines or tags or if or else if?

Badger · March 26, 2019, 6:08pm

Not sure which of those issues you want to address, but I will assume you want to send different types of data to different indexes based on tags. There are two approaches. One is to use conditionals in the output section.

output { 
    if "somestring" in [tags] {
        elasticsearch { "index" => "Foo" }
    } else if "otherstring" in [tags] {
        elasticsearch { "index" => "Bar" }
    } else {
        elasticsearch { "index" => "Baz" }
    }
}

Another is to use conditionals to put the index name into a field

filter {
    if "somestring" in [tags] {
         mutate { add_field => { "[@metadata][indexPrefix]" => "Foo" } }
    } else if "otherstring" in [tags] {
         mutate { add_field => { "[@metadata][indexPrefix]" => "Bar" } }
    } else {
         mutate { add_field => { "[@metadata][indexPrefix]" => "Baz" } }
    }
}
output {
    elasticsearch { index => "%{[@metadata][indexPrefix]}-%{+YYYY.MM}" }
}

Topic		Replies	Views
Multiple syslog input into logstash Logstash	3	1149	November 8, 2022
How to push same document into multiple indexes? Logstash	7	3360	September 19, 2018
Logstash sending all data to elasticsearch via wrong pipeline Logstash	11	1363	February 25, 2019
How to use if else statments in logstash output pipline? Logstash	9	36835	March 9, 2018
Multiple output options in logstash.conf Logstash	9	9902	January 27, 2021

Multiple pipelines or tags or if or else if?

Related topics