Separate indexes for grok filters

nikhilesh · March 18, 2020, 6:24am

I am wondering how to create separated indexes for different logs fetched into logstash (which were later passed onto elasticsearch), so that in kibana,

In my case, I have a few client servers (each of which is installed with filebeat ) and a centralized log server ( ELK ). Each client server has different kinds of logs. (i.e. one filebeat should read one grok filter and another filebeat should read another grok filter)

i am using ELK 7.6 , i heard that document_type was deprecated . so how to achieve this.

Fabio-sama · March 18, 2020, 8:24am

Hi there,

add a tag in your filebeat and in your logstash pipeline separate actions to take with a if...else statement on the tags field (or whatever other field you're putting your tags into).

nikhilesh · March 18, 2020, 8:27am

Hi Fabio,
what tag we have to add in filebeat yml file? i have added
if type ==[xxx] in logstash filter section. so how filebeat will read/direct to that particular tag(xxx) in logstash..

Fabio-sama · March 18, 2020, 8:35am

Will it work if in your filebeat.yml you put something like

- add_tags:
    tags: [xxx]
    target: "type"

and in your logstash conf file a check like: if "xxx" in [type] ?

system · April 15, 2020, 8:35am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Need help with filebeat settings to separate logs in logstash for grok parser Beats filebeat	6	627	February 16, 2020
Logstash can't create separate indexes Logstash	3	264	November 5, 2020
Help jump from logstash to beats Beats filebeat	6	929	December 11, 2017
More indexes in Filebeat Kibana	6	392	August 21, 2018
Seperate indexes for each log path field error Logstash	4	345	January 15, 2020

Separate indexes for grok filters

Related topics