Output to different elastic search Indices based on the string

mussa572 · December 12, 2021, 11:53pm

Hi
I have a Category field (cat) which can have following value and future expect to add more.

BL
LA
KA

Currently I have following code to output to the different Elasticsearch indices from our Logstash pipeline . I was wondering is there a dynamic way where I don't have to add a new if statement each time I have a new Category and If I can achieve the following with more dynamic and small code and should automatically output to the right index without me add a new statement each time I add a new category.

output {
 

  if "BL" in [cat] {

   elasticsearch {

		hosts => "elasticsearch:9200"
		index => "Index-BL"
    }
  
  if "LA" in [cat] {

   elasticsearch {

		hosts => "elasticsearch:9200"
		index => "Index-LA"
    }  
  if "KA" in [cat] {

   elasticsearch {

		hosts => "elasticsearch:9200"
		index => "Index-KA"
    }

Badger · December 13, 2021, 1:53am

You can use a sprintf reference. In the output you can use

index => "Index-%{cat}"

If you only want a certain set of indexes created use

if [cat] in [ "BA", "KA", "LA" ]

around the output.

mussa572 · December 13, 2021, 2:12am

Thanks for the reply . I will try and test . Does that mean I can remove the if statements and Logstash will send the output to the right index ?

Badger · December 13, 2021, 3:40am

That's the idea, yes.

system · January 10, 2022, 3:41am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.