Sending events from specific ip adress to specific index

wmulobole1 · September 13, 2022, 10:20pm

Hi, I am trying to separate my indexes by ip address. I want logs coming from three particular ips to go a specific index and the rest to go another index. I am not successful because the index is not showing up in Kibana. Could it be a problem with my filter in the logstash config.
Here is my logstash config

 filter {
  if [host.ip] =~ /^10\.25\.20\.(103|104|105)/  {
    mutate { add_tag => [ "poller" ] }
  } 
   else {
    mutate { add_tag => [ "generic" ] }
  }
}
 
output {
if "poller" in [tags] {
   elasticsearch {
     hosts => [ "http://10.25.20.107:9200" ]
     index => "poller-logs-%{+YYYY.MM.dd}"
     }
   }
   else if "generic" in [tags] {
   elasticsearch {
     hosts => [ "http://10.25.20.107:9200" ]
     index => "other-events-%{+YYYY.MM.dd}"
     }
   }
   else {
   elasticsearch {
     hosts => [ "http://10.25.20.107:9200" ]
     }
   }
}

Badger · September 13, 2022, 11:36pm

That should very likely be if [host][ip] =~.

Even then in recent versions of logstash the elasticsearch output has ILM enabled by default so the index option is ignored.

system · October 11, 2022, 11:36pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
I want to output log to elasticsearch index from only specific "host.ip" Logstash	5	1390	April 6, 2021
How send the log to different index in Kibana Logstash	6	624	May 11, 2020
How to push same document into multiple indexes? Logstash	7	3289	September 19, 2018
Event routing to indexes not working Logstash	3	326	August 28, 2020
Filtering data to different indexes based on source iP Logstash	2	902	February 5, 2019

Sending events from specific ip adress to specific index

Related topics