Separated conf file duplicates search

sud0 · November 4, 2019, 7:38pm

Hi.

I've created two conf files under /etc/logstash/conf.d. Because I have two businesses in two different countries, I want them to be displayed in two separately indexes.

Index name nz-*
Index name au-*

However, in Kibana when discovering the data, even if I select only index nz-*, I can still see data from the other one.

What am I doing wrong?

business1.conf:

output {
    elasticsearch {
        hosts => ["localhost:9200"]
        # Weekly index (for pruning)
        index => "au-log-index-%{+YYYY.'w'ww}"
    }
    stdout { codec => rubydebug }
}

business2.conf:

output {
    elasticsearch {
        hosts => ["localhost:9200"]
        # Weekly index (for pruning)
        index => "nz-log-index-%{+YYYY.'w'ww}"
    }
    stdout { codec => rubydebug }
}

Badger · November 4, 2019, 7:43pm

If both configurations are running in the same pipeline then every event will get written to both elasticsearch outputs. You need to either run each business in its own pipeline or use conditionals in your processing.

sud0 · November 4, 2019, 7:47pm

That's interesting. Thanks for the help! I'll have a read about pipelines for sure! Will mark this question as solved.

system · December 2, 2019, 7:47pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Output with condition Logstash	5	1670	December 3, 2019
Logstash different .conf inputs are mixing up entries in indexes Logstash	4	975	April 24, 2019
Keep one logstash conf file rather having multiple logstash conf file! Logstash	5	329	March 7, 2019
Multiple Logstash Configuration Files Logstash	4	5558	June 29, 2020
Logstash/Elasticsearch/Kibana Fundamentals Elasticsearch	3	397	December 27, 2019

Separated conf file duplicates search

Related topics