Outputting into different indices based on source

d112 · September 27, 2019, 6:54pm

I want to create different indices based on the source of the data. I currently have:

input {
beats {
    port => 5044
}}

filter {
    if ([source] =~ "examiner.log") {
        json {
        source => "message"	
        add_tag => ["examiner"]
        }
    } else if ([source] =~ "temp.log") {
        mutate {
            add_tag => ["TEMP"]
        }
    }
}

output {
    if ([source] =~ "examiner.log") {
        elasticsearch {
        hosts => "localhost:9200"
        index => "examiner"
        }
    } else {
         elasticsearch {
        hosts => "localhost:9200"
        index => "data"
        }
    }
}

Only the data index gets created, I'm not sure why the first conditional is skipped in the output.

system · October 25, 2019, 6:54pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.