Output data in multiple indices based on fields

Harsh_Verma · December 18, 2017, 8:25pm

I have a logfile with some special logs and some general logs.I want the general logs to go in a general index and the special logs(logs which match any of my grok patterns) to go in a separate index and in the general index as well.
My pipeline conf looks like this:

input {
beats {
port => "5043"
}
}
filter {
grok {
match => [ "message", "PATTERN1",
"message", "PATTERN2"
]
}
if "_grokparsefailure" in [tags] {
mutate {
add_field => {"[@metadata][index]" => "generallogs"}
}
}
else{
mutate {
add_field => {"[@metadata][index]" => "speciallogs"}
}
}
}
output {
elasticsearch {
hosts => [ "localhost:9200" ]
index => "%{[@metadata][index]}"
}
}

The only problem with this is that special logs go only in the special log index and not in the general log index. Is there a solution ? Thanks !

Badger · December 18, 2017, 9:12pm

Make the output to the other index conditional using something like:

output {

elasticsearch {
hosts => [ "localhost:9200" ]
index => "generallogs"
}

if "_grokparsefailure" not in [tags] {
elasticsearch {
hosts => [ "localhost:9200" ]
index => "speciallogs"
}
}

}

Harsh_Verma · December 18, 2017, 9:37pm

Makes perfect sense. Don't know why I was not able to think about this !

system · January 15, 2018, 9:37pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Multiple pipelines or tags or if or else if? Logstash	3	2883	April 24, 2019
Does multiple indices in output work? Logstash	1	946	July 6, 2017
"Index" output setting Logstash	2	272	June 5, 2018
Log duplicated in multiple indexes Logstash	12	1896	July 6, 2017
Clarification on if/else behavior in output Logstash	3	379	October 21, 2019

Output data in multiple indices based on fields

Related topics