I want two of my hosts to write to a different index. Based on the articles I've read on here this output statement in /etc/logstash/conf.d/input.conf should create a new index when it finds these two hosts....but it's not. Kibana only shows the filebeat-* but these two hosts are no longer appearing in Discover. Where is the data going? I don't see any errors on start up. Do I need to define the new index somewhere before the below statement will work?
output {
if [host.name] in ["lab4a", "lab4b"] {
elasticsearch {
index => "lab4-%{+YYYY.MM.dd}"
}
}
}