Sending events from specific ip adress to specific index

wmulobole1 · September 13, 2022, 10:20pm

Hi, I am trying to separate my indexes by ip address. I want logs coming from three particular ips to go a specific index and the rest to go another index. I am not successful because the index is not showing up in Kibana. Could it be a problem with my filter in the logstash config.
Here is my logstash config

 filter {
  if [host.ip] =~ /^10\.25\.20\.(103|104|105)/  {
    mutate { add_tag => [ "poller" ] }
  } 
   else {
    mutate { add_tag => [ "generic" ] }
  }
}
 
output {
if "poller" in [tags] {
   elasticsearch {
     hosts => [ "http://10.25.20.107:9200" ]
     index => "poller-logs-%{+YYYY.MM.dd}"
     }
   }
   else if "generic" in [tags] {
   elasticsearch {
     hosts => [ "http://10.25.20.107:9200" ]
     index => "other-events-%{+YYYY.MM.dd}"
     }
   }
   else {
   elasticsearch {
     hosts => [ "http://10.25.20.107:9200" ]
     }
   }
}

Badger · September 13, 2022, 11:36pm

That should very likely be if [host][ip] =~.

Even then in recent versions of logstash the elasticsearch output has ILM enabled by default so the index option is ignored.

system · October 11, 2022, 11:36pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.