Hi,
i am trying to collect logs from 2 different servers which are located far away, should i be creating 2 seperate indexes for each of them in ES or is there a way i can filter the logs coming out of those and add a new field in that log in every line in logstash which has a specific entry..which one is recommended
If the two logs are for different systems/components, I'd probably use two
indexes. If it's two servers hosting the same system, then one index makes
more sense. I add fields to my index to identify the server the log
originated from.
how can i add that dynamically from the logs
Here's an example config:
file
{
type => "mysystem"
path => "yourlogfile.txt"
start_position => "end"
codec => multiline
{
pattern => "^[0-9]{4}-[0-9]{2}-[0-9]{2}
[0-9]{2}:[0-9]{2}:[0-9]{2},[0-9]{0,3} [[0-9]{1,}]
(DEBUG|WARN|ERROR|INFO|FATAL)"
negate => true
what => previous
}
add_field => [ "index_name", "myindex" ]
add_field => [ "market", "UK" ]
add_field => [ "environment", "Production" ]
add_field => [ "host_name", "SERVER1" ]
add_field => [ "component", "API" ]
}
On your other server you'd do:
add_field => [ "host_name", "SERVER2" ]
Then in your output section:
elasticsearch
{
action => "index"
hosts => "your_elasticsearch_server"
index => "logstash-%{index_name}-%{+YYYY.MM.dd}"
}
You should end up with data from two servers (SERVER1 and SERVER2) going to
one index, "logstash-myindex-2016-01-29" etc.