Sending events from specific ip adress to specific index

wmulobole1 · September 13, 2022, 10:20pm

Hi, I am trying to separate my indexes by ip address. I want logs coming from three particular ips to go a specific index and the rest to go another index. I am not successful because the index is not showing up in Kibana. Could it be a problem with my filter in the logstash config.
Here is my logstash config

 filter {
  if [host.ip] =~ /^10\.25\.20\.(103|104|105)/  {
    mutate { add_tag => [ "poller" ] }
  } 
   else {
    mutate { add_tag => [ "generic" ] }
  }
}
 
output {
if "poller" in [tags] {
   elasticsearch {
     hosts => [ "http://10.25.20.107:9200" ]
     index => "poller-logs-%{+YYYY.MM.dd}"
     }
   }
   else if "generic" in [tags] {
   elasticsearch {
     hosts => [ "http://10.25.20.107:9200" ]
     index => "other-events-%{+YYYY.MM.dd}"
     }
   }
   else {
   elasticsearch {
     hosts => [ "http://10.25.20.107:9200" ]
     }
   }
}

Badger · September 13, 2022, 11:36pm

That should very likely be if [host][ip] =~.

Even then in recent versions of logstash the elasticsearch output has ILM enabled by default so the index option is ignored.

system · October 11, 2022, 11:36pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
I want to output log to elasticsearch index from only specific "host.ip" Logstash	5	1382	April 6, 2021
How to push same document into multiple indexes? Logstash	7	3284	September 19, 2018
Event routing to indexes not working Logstash	3	326	August 28, 2020
Logstash parsing syslog to different indices depending on source hosts Logstash	6	5280	August 8, 2017
Could not index event to Elasticsearch, mapper [geoip.location] of different type Elasticsearch	5	571	October 1, 2020

Sending events from specific ip adress to specific index

Related Topics