Separated conf file duplicates search

sud0 · November 4, 2019, 7:38pm

Hi.

I've created two conf files under /etc/logstash/conf.d. Because I have two businesses in two different countries, I want them to be displayed in two separately indexes.

Index name nz-*
Index name au-*

However, in Kibana when discovering the data, even if I select only index nz-*, I can still see data from the other one.

What am I doing wrong?

business1.conf:

output {
    elasticsearch {
        hosts => ["localhost:9200"]
        # Weekly index (for pruning)
        index => "au-log-index-%{+YYYY.'w'ww}"
    }
    stdout { codec => rubydebug }
}

business2.conf:

output {
    elasticsearch {
        hosts => ["localhost:9200"]
        # Weekly index (for pruning)
        index => "nz-log-index-%{+YYYY.'w'ww}"
    }
    stdout { codec => rubydebug }
}

Badger · November 4, 2019, 7:43pm

If both configurations are running in the same pipeline then every event will get written to both elasticsearch outputs. You need to either run each business in its own pipeline or use conditionals in your processing.

sud0 · November 4, 2019, 7:47pm

That's interesting. Thanks for the help! I'll have a read about pipelines for sure! Will mark this question as solved.

system · December 2, 2019, 7:47pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Output with condition Logstash	5	1670	December 3, 2019
Keep one logstash conf file rather having multiple logstash conf file! Logstash	5	329	March 7, 2019
Multiple Logstash Configuration Files Logstash	4	5545	June 29, 2020
Logstash/Elasticsearch/Kibana Fundamentals Elasticsearch	3	397	December 27, 2019
Issue with Multiple .conf files Logstash	7	407	October 15, 2020

Separated conf file duplicates search

Related Topics