Outputting into different indices based on source

d112 · September 27, 2019, 6:54pm

I want to create different indices based on the source of the data. I currently have:

input {
beats {
    port => 5044
}}

filter {
    if ([source] =~ "examiner.log") {
        json {
        source => "message"	
        add_tag => ["examiner"]
        }
    } else if ([source] =~ "temp.log") {
        mutate {
            add_tag => ["TEMP"]
        }
    }
}

output {
    if ([source] =~ "examiner.log") {
        elasticsearch {
        hosts => "localhost:9200"
        index => "examiner"
        }
    } else {
         elasticsearch {
        hosts => "localhost:9200"
        index => "data"
        }
    }
}

Only the data index gets created, I'm not sure why the first conditional is skipped in the output.

system · October 25, 2019, 6:54pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Field reference from _source for conditional output Logstash docker	5	573	October 21, 2021
Elasticsearch index based on source field Logstash	2	2489	September 14, 2017
Output data in multiple indices based on fields Logstash	3	2919	January 15, 2018
Does multiple indices in output work? Logstash	1	946	July 6, 2017
Creating index depends on source Logstash	7	2566	March 28, 2019

Outputting into different indices based on source

Related topics