Publish same Log file logs to elastic with different index

Vinutha_A_H · June 10, 2020, 12:53pm

Hi,

We are trying to read a log file twice. Sending one copy as it is (just mapping the key to each field in logs using grok) to kafka/elastic with index xyz and second copy by removing some fields (we are also doing key mapping to each field in logs using grok) to Kafka/elastic with index abcd. The Kafka broker, topic and everything else is same.

I see most of the logs being published to both the index but I also see few missing in either of the index.

So, would like to get a expert view on this. As, if it is the correct thing to do and is logstash expected to work smoothly in this scenario.

Vinutha_A_H · June 11, 2020, 8:52am

Hi,

Any comments on this topic?

Jenni · June 11, 2020, 11:38am

I don't see an obvious reason why this wouldn't work, but then again it's a very abstract question. Maybe the Logstash configuration, Elasticsearch field mappings, error logs or examples for the missing events would give us a clue.

Vinutha_A_H · June 11, 2020, 1:13pm

Thanks Jenni for your response. Logstash config looks as below and dont see any errors in logstash logs.

The index mapped at elastic are 'abcd' and 'abd-efg'
Please let me know, if in case any issues with these config and mapping.

//
Input {
file {
path => ["/local/logs/filename.log"]
add_field => { "app" => "abcd" "DOMAIN" => "test"}
type => 'wxyz'
}
file {
path => ["/local/logs/filename.log"]
add_field => { "app_id" => "abc-efg" "DOMAIN" => "test"}
type => 'wxy'
}
}

filter {
if [type] == "wxyz" {
grok {
match => [ "message", "%{DATE:date}-%{TIME:time} NAME:%{GREEDYDATA:text} DATA:%{GREEDYDATA:text}" ]
}
mutate { remove_field => [ "message" , "DATA" ] }
mutate { add_field => [ "ts" , "%{date} %{time}" ] }
date {
match => [ "ts", "yy/MM/dd HH:mm:ss" ]
target => "@timestamp"
}
}
if [type] == "wxy" {
grok {
match => [ "message", "%{DATE:date}-%{TIME:time} NAME:%{GREEDYDATA:text} DATA:%{GREEDYDATA:text}" ]
}
mutate { add_field => [ "ts" , "%{date} %{time}" ] }
date {
match => [ "ts", "yy/MM/dd HH:mm:ss" ]
target => "@timestamp"
}
}
}

output {
kafka {
topic_id => ""
bootstrap_servers => "brokerhost:brokerport"
codec => json {}
security_protocol => "SSL"
ssl_keystore_location => ""
ssl_keystore_password => ""
ssl_truststore_location => ""
ssl_truststore_password => ""
}
}

Vinutha_A_H · June 12, 2020, 11:40am

Hi Jenni, I hope there is nothing wring in the config. Please confirm.

system · July 10, 2020, 11:40am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Create multiple indexes with single logstash configuration file depending upon the kafka channel Logstash	5	748	May 15, 2019
One kafka topic data is pushing to all elasticsearh Logstash	2	313	November 12, 2019
Multiple kafka topics using logstash and make index inside output with `.conf` file Logstash	3	274	February 27, 2024
Kafka input to logstash Logstash	1	270	August 9, 2019
Logstash pipeline output \| duplicate messages ending up indexes Logstash	5	1740	October 17, 2019

Publish same Log file logs to elastic with different index

Related topics