Sending output to different indices depending on conditions

DetlefG · September 20, 2023, 7:31am

Hi,
I try to write logs via filebeat to different indices depending on a field in the logs. But I'm not sure, how the rule setting when is working.
Is it correct, that if the first when condition is fullfilled the second and further will not be checked ?

For better explanation - the goal is to write to different indices depending on the field kubernetes.namespace. If the field kubernetes.namespace contains test then the log should be written to index k8s-%{[kubernetes.namespace]}-%{[loglevel]} otherwise to k8s-%{[kubernetes.namespace]}.

Does the following configuration work as described above or will logs be written to both indices - k8s-%{[kubernetes.namespace]}-%{[loglevel]} and k8s-%{[kubernetes.namespace]} - if namespace is containing test ?

output.elasticsearch:
  hosts: ['${ELASTICSEARCH_HOSTS}']
  index: "filebeat-%{[beat.version]}-%{+yyyy.MM.dd}"
  indices:
    - index: "k8s-%{[kubernetes.namespace]}-%{[loglevel]}"
      when.regexp:
        kubernetes.namespace: "test"
    - index: "k8s-%{[kubernetes.namespace]}"
      when.regexp:     
        kubernetes.namespace: ".*"

Thnx for any help !

Best regards, Detlef

system · October 18, 2023, 9:31am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to create indices based on kubernetes metadata Beats filebeat	4	3971	March 19, 2018
Send k8s logs with Filebeat to separate indices Beats filebeat	2	1880	October 30, 2020
Set indices based on a field value Beats filebeat	5	3564	January 18, 2017
In logstash, I want to save logs to different outputs for each k8s namespace Logstash docker	4	1332	September 28, 2021
Creating a seperate index for conflicting logs Beats filebeat	6	25	August 12, 2024

Sending output to different indices depending on conditions

Related topics