Output with condition

sud0 · November 5, 2019, 1:46am

HI.

I have two businesses that must be separated in two different indexes.

I'm trying to separate them on the output:

output {

if [region] == "au" {
        elasticsearch {
        hosts => ["localhost:9200"]
        # Weekly index (for pruning)
        index => "au-log-index-%{+YYYY.'w'ww}"
        }
    }

else {
        elasticsearch {
        hosts => ["localhost:9200"]
        # Weekly index (for pruning)
        index => "nz-log-index-%{+YYYY.'w'ww}"
        }
    }

    stdout { codec => rubydebug }
}

I'm adding the region field like this; example.conf:

if [type] == "au_uat_apache_access_log" {
        mutate {
            replace => { 'host' => 'uatweb.datacentre.example.com.au' }
            add_field => { 'environment' => 'uat'
                           'service' => 'apache_access'
                           'region' => 'au'
            }
        }
        grok {
            match => {
                "message" => "%{IPORHOST:clientip}%{SPACE}\[%{HTTPDATE:timestamp}\]%{SPACE}%{NUMBER:port}%{SPACE}%{WORD:method}%{SPACE}%{URIPATHPARAM:request_uri}%{SPACE}%{NOTSPACE}%{SPACE}%{NUMBER:status_code}%{SPACE}%{NOTSPACE:bytes_delivered}%{SPACE}%{NUMBER:duration%}%{SPACE}(?:%{URI:referrer}|.*)%{SPACE}%{QS:agent}%{SPACE}%{GREEDYDATA:general_data}"
            }
        }

        date {
            match => ["timestamp", "dd/MMM/yyyy:HH:mm:ss Z"]
            target => "@timestamp"
        }
    }

However from Kibana I am only able to see the nz* index, which correspond to the else statement.

What am I doing wrong? Thanks in advance.

Christian_Dahlqvist · November 5, 2019, 5:50am

Is this condition ever true? Where is this type set? Can you show a document that had been indexed into the wrong index?

sud0 · November 5, 2019, 8:24pm

Yes, it does exist

file {
        type => "au_uat_apache_access_log"
        start_position => "beginning"
        path => "/mnt/logs/uatweb/access_log"
    }

Can you show a document that had been indexed into the wrong index?

The problem is that only one index is shown to me; I can only see the index below in Kibana:

else {
        elasticsearch {
        hosts => ["localhost:9200"]
        # Weekly index (for pruning)
        index => "nz-log-index-%{+YYYY.'w'ww}"
        }
    }

Badger · November 5, 2019, 8:42pm

In Kibana, expand a document that is in the wrong index, go to the JSON tab, and post a copy of what is on that tab for a single document. Make sure you include the type and region fields.

sud0 · November 5, 2019, 8:56pm

I can't... I'm getting an error on Kibana so no data is being shown (when creating the index pattern):

"f0aa5110-000d-11ea-98c1-51084078b0aa" is not a configured index pattern ID
Showing the default index pattern: "nz*" (a5034ae0-000e-11ea-98c1-51084078b0aa)

There is no data being displayed.

system · December 3, 2019, 8:56pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Unable to use if condition in logstash output section Logstash	3	299	May 30, 2019
IF/THEN in output config not working properly Logstash	4	578	February 26, 2018
How to Seperate docs in Logstash to different ES index Logstash	5	703	June 23, 2017
Logstash output: If field exists, use other index Logstash	3	11193	August 24, 2018
Conditional index in output Logstash	1	782	July 11, 2020

Output with condition

Related topics