I'm looking to send data to two different Elasticsearch instances. If pretty sure that each one of these options will work but many months ago I had a similar setup in a different environment and the way I had implemented the split created some odd issues with the data in each environment. I don't remember all of the details so I figured I'd just post this here and double-check.
Along with sending data to two ES instances, I would like to send metricbeat data from a specific host to the second ES instance. Is one of the options below better than the other? Nested IF vs two different IF's? If it even makes a difference.
Option 1, nested IF statement:
output {
if [agent][type] == "metricbeat" {
elasticsearch {
hosts => ["https://abc.gov:9243"]
manage_template => false
index => "metricbeat-%{[agent][version]}"
user => logstash_internal
password => Pleasework18_li
ssl => true
cacert => "/etc/logstash/cert.pem"
index => "metricbeat-%{[agent][version]}"
ilm_rollover_alias => "metricbeat-%{[agent][version]}"
ilm_pattern => "000001"
ilm_policy => "metricbeat-%{[agent][version]}"
}
if [agent][type] == "metricbeat" and [host][hostname] =~ "(host1|host2|host3)" {
elasticsearch {
hosts => ["https://def.gov:9243"]
manage_template => false
index => "metricbeat-%{[agent][version]}"
user => logstash_internal
password => Pleasework18_li
ssl => true
cacert => "/etc/logstash/cert.pem"
index => "metricbeat-%{[agent][version]}"
}
}
}
Option 2, two different IF statements:
output {
if [agent][type] == "metricbeat" {
elasticsearch {
hosts => ["https://abc.gov:9243"]
manage_template => false
index => "metricbeat-%{[agent][version]}"
user => logstash_internal
password => Pleasework18_li
ssl => true
cacert => "/etc/logstash/cert.pem"
index => "metricbeat-%{[agent][version]}"
ilm_rollover_alias => "metricbeat-%{[agent][version]}"
ilm_pattern => "000001"
ilm_policy => "metricbeat-%{[agent][version]}"
}
}
if [agent][type] == "metricbeat" and [host][hostname] =~ "(host1|host2|host3)" {
elasticsearch {
hosts => ["https://def.gov:9243"]
manage_template => false
index => "metricbeat-%{[agent][version]}"
user => logstash_internal
password => Pleasework18_li
ssl => true
cacert => "/etc/logstash/certt.pem"
index => "metricbeat-%{[agent][version]}"
}
}
}