Questions about the Logstash Configuration

Hi, I am new to Logstash, I built up 2 configuration file on my server for 2 types of log; I put the 2 types of logs into different folder:/FW_Log and /VAL-LOG; , and put the 2 config files under same folder: /logstash/configs/ and run : ./bin/logstash -f ./configs/ ; the logstash can read the log files from both 2 folders, but the logs read from both 2 folders are all using the first configuration to split the log?

Config A:
#data input
input{
file{
path => ["/logserver/FW_LOG/."]
type => "system"
start_position => "beginning"}
}
#data filter
filter{
mutate{
split=>["message","] "]
add_field=>{
"field1"=>"%{[message][0]}"
}
add_field=>{
"loginfo"=>"%{[message][1]}"
}
remove_field=>["message"]
}
#data output
output{
elasticsearch {
hosts => ["localhost:9200"]
}
}

Config B:
#data input
input{
file{
path => ["/logserver/VAL_LOG/."]
type => "system"
start_position => "beginning"}
}
#data filter
filter{
grok{
match => {
"message" => "\s*%{TIME:TestTime}\s*.%{LOGLEVEL:log_level}\s*.\s*%{GREEDYDATA:loginfo}"
}
remove_field => ["message"]
}
}
#data output
output{
elasticsearch {
hosts => ["localhost:9200"]
}
}

Config files are merged together, you need to use something like this to split them - https://www.elastic.co/guide/en/logstash/current/config-examples.html#using-conditionals

it fixed my problem, thanks a lot;

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.