Output logs to multiple index from logstash

Mehak_Bhargava · November 21, 2019, 11:41pm

Hi there,

I am trying to send multiple log files from filebeat tologstash to elasticsearch. In kibana, I would like each log file under a separate index. This is my logstash.conf file:

# Sample Logstash configuration for creating a simple
# Beats -> Logstash -> Elasticsearch pipeline.

input {
  beats {
    port => 5044
  }
}
filter {
    if[type] =="DispatcherApp"{
		grok {
			match => {"message" => "%{COMBINEDAPACHELOG}"}
        }
	} else if [type] == "IncidentAgent" {
        grok {
            match => { "message" => "%{COMBINEDAPACHELOG}" }
        }
    }else if [type] == "IMMService" {
        grok {
            match => { "message" => "%{COMBINEDAPACHELOG}" }
        }
    }
	  
  }

output {
  elasticsearch {
    hosts => ["http://localhost:9200"]
	sniffing => true
	manage_template => false
	index => "web-%{type}"
	document_type => "log"
    #index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
  }
}

and filebeat.yml is-

filebeat.inputs:
    
    -
      paths:
         - E:\DemoSetup\DispatcherApp\logs\dispatcher-scheduler.log
      input_type: log
      document_type: DispatcherApp
           
    -  
      paths:
         - E:\DemoSetup\Incident Agent\Logs\Trace.log
      input_type: log
      document_type: IncidentAgent
           
    -input_type: log  
      paths:
         - E:\DemoSetup\Logs\IMSService\log.txt
      input_type: log
      document_type: IMMService
      
      
      #multiline.pattern: '^[0-9]{4}-[0-9]{2}-[0-9]{2}'
      #multiline.negate: true
      #multiline.match: after
      
    setup.template.name: "index-%{[beat.version]}"
    setup.template.pattern: "index-%{[beat.version]}-*"       

  
output:
  logstash:
    hosts: ["localhost:5044"]	
    #index: "index-%{[beat.version]}-%{[fields.type]:other}-%{+yyy.MM.dd}"

I just get a new index created called "web-%{type} and all three file logs are collected under it only. I think the type mentioned in filebeat.yml isnt being acknowledge in logstash file due to the if condition only taking message=> COMMONAPACHE!

Badger · November 22, 2019, 12:53am

I do not run filebeat but I know document types are being removed, so I wouldn't use anything that purports to set type, and thence _type.

Try using tags. The conditionals and sprintf reference in logstash will look similar.

That said, once each document is tagged with a type, why bother to put them in separate indexes? It is trivial to add a clause to the query to test the tag.

Mehak_Bhargava · November 22, 2019, 12:59am

Are you referring to below here?

setup.template.name: "index-%{[beat.version]}"
    setup.template.pattern: "index-%{[beat.version]}-*"

Do you agree with this? After I replace tags with document_types, should I change the filter in logstash.conf to co-relate the tags?

Badger · November 22, 2019, 2:26pm

No, I was referring to

index => "web-%{type}"

Mehak_Bhargava · November 22, 2019, 6:40pm

But then how will logstash know you create index by using the tagged field?

output {
  #if [@metadata][beat] == "filebeat"{
  elasticsearch {
    hosts => ["http://localhost:9200"]
	sniffing => true
	manage_template => false
	index => "%{[@metadata][type]}-%{+YYYY.MM.dd}"

Wont the "%{[@metadata][type] collect the type value in filebeat.yml and create separate index for each log file?

Badger · November 22, 2019, 6:51pm

I am not sure, I do not use filebeat.

Mehak_Bhargava · November 22, 2019, 6:51pm

Thanks a lot for your help!

system · December 20, 2019, 6:51pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.