Output data in multiple indices based on fields

Harsh_Verma · December 18, 2017, 8:25pm

I have a logfile with some special logs and some general logs.I want the general logs to go in a general index and the special logs(logs which match any of my grok patterns) to go in a separate index and in the general index as well.
My pipeline conf looks like this:

input {
beats {
port => "5043"
}
}
filter {
grok {
match => [ "message", "PATTERN1",
"message", "PATTERN2"
]
}
if "_grokparsefailure" in [tags] {
mutate {
add_field => {"[@metadata][index]" => "generallogs"}
}
}
else{
mutate {
add_field => {"[@metadata][index]" => "speciallogs"}
}
}
}
output {
elasticsearch {
hosts => [ "localhost:9200" ]
index => "%{[@metadata][index]}"
}
}

The only problem with this is that special logs go only in the special log index and not in the general log index. Is there a solution ? Thanks !

Badger · December 18, 2017, 9:12pm

Make the output to the other index conditional using something like:

output {

elasticsearch {
hosts => [ "localhost:9200" ]
index => "generallogs"
}

if "_grokparsefailure" not in [tags] {
elasticsearch {
hosts => [ "localhost:9200" ]
index => "speciallogs"
}
}

}

Harsh_Verma · December 18, 2017, 9:37pm

Makes perfect sense. Don't know why I was not able to think about this !

system · January 15, 2018, 9:37pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Multiple pipelines or tags or if or else if? Logstash	3	2875	April 24, 2019
Does multiple indices in output work? Logstash	1	946	July 6, 2017
I need to have multiple index based on the path of log file Elasticsearch	3	245	October 7, 2021
Multiple output in logstash config, pls help! Logstash	7	4095	December 20, 2016
Conditional index in output Logstash	1	737	July 11, 2020

Output data in multiple indices based on fields

Related Topics