Hello, all.
I've just installed Topbeat on a node and, of course, want to capture data and view it in Kibana. I do have it working (topbeat.yml configured to use logstash as output), but all the Topbeat data end up in the logstash-* indices. I'd like to get the Topbeat data into topbeat-* indices, but everything else into logstash-*. Can this be done? If so, I take it I have to set up it up in my logstash output configuration? How?
Many thanks.
Thanks, Andrew.
I've read that doc, but in my setup, it doesn't work. I have three config files: 02-input.conf, 15-filters.conf, and 30-elasticsearch-output.conf. 02-input.conf has the beats input section in it:
input {
beats {
port => 5044
}
}
30-elasticsearch-output.conf has the following output stanza:
output {
elasticsearch { hosts => ["10.0.101.101:9200"] }
stdout { codec => rubydebug }
}
As I understand it, since no index is specified, logstash-* is used by default. That's fine for everything but Topbeat, which I'd like to use topbeat-* indices. That said, how do I specify that Topbeat specifically use the topbeat-* indices.
Hope I'm clear about what I'm after.
You can use a conditional statement around your outputs in order to have two different output paths. Here's a great example from Magnus.
Reference: Logstash | Event Dependent Configuration
Andrew,
That worked a treat - thank you so much! And to Magnus, too!
Diggy
This topic was automatically closed after 21 days. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.