Netflow codec writes to multiple indexes

Elastic Stack Logstash
1

Hello,
I have logstash in 6.8.1 version my problem is that when I'm using two pipelines one for metricbeat and other for netflow I can't see metricbeat data. In elasticsearch I can see two indexes metricbeat-* and netflow_logstash-* but looks like both of them are netflow indexes.
My beast.conf file:

 input {
      beats {
        port => 5044
      }
    }



    output {
      elasticsearch {
        hosts => "localhost:9200"
        manage_template => false
    #    index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
         index => "metricbeat-%{+YYYY.MM.dd}"
      }
    }

My netflow.conf:

input {
      udp {
        port  => 19000
        codec => netflow {
                netflow_definitions => "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-codec-netflow-3.14.1/lib/logstash/codecs/netflow/netflow.yaml"
                versions => [9]
            }
      }
    }


    output {
      elasticsearch {
        hosts => "localhost:9200"
        index => "netflow_logstash-%{+YYYY.MM.dd}"
      }
    }

When I used index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}" I had metricbeat index, netflow index and index named %{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd} with netflow data in it.

What is wrong with my pipelines?

2

Are you running them in separate pipelines? If they are both in the main pipeline then events will be read from both inputs and every event will be written to both outputs. Please see this post.

3

Thanks for your help
I misunderstood the concept of the pipeline. I thought that separate files = separate pipelines.
In pipelines.yml I had :

 peline.id: main
      path.config: "/etc/logstash/conf.d/*.conf"

After splitting pipelines (creating different pipelines IDs) everything is working fine.

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.