Syntax for index redirection (in module 'output')?

ethrbunny · September 12, 2018, 10:58am

In the 'output' section of my beats.conf I want to send different types of input to different indexes. The 'filter' section lets me pick and choose like so: "if [fileset][module] =~ " --> is there a way to do this in the 'output' section?

Presently I use this format:
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"

How would I pick off entries from [fileset][module] =~ "auditd" and send those to their own index separate from other filebeat entries?

magnusbaeck · September 12, 2018, 5:01pm

is there a way to do this in the 'output' section?

Yes. It works in exactly the same way as in the filter section.

system · October 10, 2018, 5:01pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Output to different index based on field Logstash	12	3201	February 5, 2022
Logstash output from filebeat. What is 'index' configuration option? Beats filebeat	2	408	January 16, 2020
Conditional index in output Logstash	1	737	July 11, 2020
Using Filebeat with multiple indices and logstash Beats filebeat	4	2723	January 13, 2020
How to make output to two index using logstash Logstash	2	263	July 17, 2020

Syntax for index redirection (in module 'output')?

Related topics