Two outputs with different data

AlexH · April 21, 2018, 12:35pm

I want to take one input, do some filters, send output to one ES index, do more filters, then send to a second ES index.

The result should be one index with a set of fields, and the second index has a mostly different set of fields but based on the same original input.

In my logstash config, I tried input -> filter -> output -> filter -> output, where the second filter removes most fields and adds a few new ones before sending it to the second index, but the result is both indexes end up getting the combined filter result.

Any ideas?

Badger · April 21, 2018, 1:35pm

Events are read from inputs, sent through all the filters, then written to the outputs. So what you are seeing is expected.

You could write the events to a second logstash instance, or a different pipeline if you are using a recent version.

Christian_Dahlqvist · April 21, 2018, 6:36pm

You can use the clone filter to create a second event. Add the additional fields only to one of these events and then send them to different outputs.

AlexH · April 22, 2018, 10:31pm

That's a great idea. I'll try that and see if I can get it working. Thanks!

system · May 20, 2018, 10:31pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Can I filter the Output data separately?! Logstash	9	10876	August 31, 2018
Logstash generate two events on output Logstash	3	685	July 6, 2017
One Input Event - 2 Output Events Logstash	5	3010	May 11, 2018
Parse the same input in two different ways Logstash	3	373	October 8, 2018
One input two outputs Logstash	2	764	December 1, 2015

Two outputs with different data

Related Topics