Output to different index based on field

krsecurity · January 8, 2022, 11:01pm

In the end, I gave up trying to use logstash and used this method of achieving what I desired:


output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["localhost:9200"]
  # Protocol - either `http` (default) or `https`.
  #protocol: "https"
  indices:
    - index: "filebeat-netflow"
      when.equals:
        event.module: "netflow"
    - index: "filebeat-threatintel"
      when.equals:
        event.module: "threatintel"

Topic		Replies	Views
Using Filebeat with multiple indices and logstash Beats filebeat	4	2824	January 13, 2020
Override index name while using the inbuilt filebeat modules Beats beats-module , filebeat	6	1128	August 10, 2020
How to use filebeat fields name value in logstash config Beats filebeat	5	14781	May 2, 2017
Best practice for setting index names when using filebeats to logstash Beats filebeat	3	2207	March 4, 2018
Handling multiples modules output to multiples indexes, good practice? Beats filebeat	4	4989	July 25, 2019

Output to different index based on field

Related topics