Separated conf file duplicates search

Elastic Stack Logstash
1

Hi.

I've created two conf files under /etc/logstash/conf.d. Because I have two businesses in two different countries, I want them to be displayed in two separately indexes.

  • Index name nz-*
  • Index name au-*

However, in Kibana when discovering the data, even if I select only index nz-*, I can still see data from the other one.

Screenshot%20from%202019-11-05%2008-31-33
Screenshot from 2019-11-05 08-31-33.png773×539 24.8 KB

What am I doing wrong?

business1.conf:

output {
    elasticsearch {
        hosts => ["localhost:9200"]
        # Weekly index (for pruning)
        index => "au-log-index-%{+YYYY.'w'ww}"
    }
    stdout { codec => rubydebug }
}

business2.conf:

output {
    elasticsearch {
        hosts => ["localhost:9200"]
        # Weekly index (for pruning)
        index => "nz-log-index-%{+YYYY.'w'ww}"
    }
    stdout { codec => rubydebug }
}
2

If both configurations are running in the same pipeline then every event will get written to both elasticsearch outputs. You need to either run each business in its own pipeline or use conditionals in your processing.

1 Like
3

That's interesting. Thanks for the help! I'll have a read about pipelines for sure! Will mark this question as solved.

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.