Using different Index names in Output logstash

Saravana37 · May 19, 2021, 6:16am

Hello All ,

I want to re-use the config lines in output logstash as shown below. I am using if condition but is throwing some error. Please help me out.

output {
    

		
elasticsearch 
        {
			hosts => ["https://XXXXXnet:8200"]
			user => "${es_usr}"
			password => "${es_pwd}"
		if "RequestRouter" in [source] and "VAGAPIEMEA" in [InterfaceName]
            {

                index => "prodsrvrlog-reqrouter-vagapi-%{log_day}"

            }
        else if "RequestRouter" in [source]
            {
                index => "prodsrvrlog-reqrouter-%{log_day}"

            }
        else if "FleetboardListener"  in [source]
            {
                index => "api_fleet_list-%{log_day}"

            }
        else if "SComm"  in [source]
            {
 
                index => "scomm-%{log_day}"

            }
	
        else if "metric" in [fields][type]
            {
    
                index => "metricbeat-%{+YYYY.MM.dd}"

            }
        else if "PROD" in [fields][env]
            {
                index => "prodsrvrlog-%{log_day}"
            }
		else
            {
                index => "otherdata-%{+YYYY.MM.dd}"

            }
    ssl => true
    ssl_certificate_verification => false
    cacert => "E:\ELK\ODForESearch\config\chain.pem"
    ilm_enabled => false
    document_id => "%{[fingerprint]}"
        }

ylasri · May 19, 2021, 7:35am

Condition should be applied to all ouput block like this

output {
	if "RequestRouter" in [source] and "VAGAPIEMEA" in [InterfaceName]
		elasticsearch 
				{
					hosts => ["https://XXXXXnet:8200"]
					user => "${es_usr}"
					password => "${es_pwd}"
					ssl => true
					ssl_certificate_verification => false
					cacert => "E:\ELK\ODForESearch\config\chain.pem"
					ilm_enabled => false
					document_id => "%{[fingerprint]}"
					index => "prodsrvrlog-reqrouter-vagapi-%{log_day}"
			}
	else if "RequestRouter" in [source]
		elasticsearch 
				{
					hosts => ["https://XXXXXnet:8200"]
					user => "${es_usr}"
					password => "${es_pwd}"
					ssl => true
					ssl_certificate_verification => false
					cacert => "E:\ELK\ODForESearch\config\chain.pem"
					ilm_enabled => false
					document_id => "%{[fingerprint]}"
					index => "prodsrvrlog-reqrouter-%{log_day}"
			}
	....
	}

Saravana37 · May 19, 2021, 7:50am

Hello @ylasri ,

Thanks for your response. Then the no of lines in the config increasing . Can't we use index name in the mutate filter like below ?

	if "RequestRouter" in [source] and "VAGAPIEMEA" in [InterfaceName]
        {
						mutate {
						add_field => 	{ 
							"myindex" => "prodsrvrlog-reqrouter-vagapi-%{log_day}"
										}
							 }

ylasri · May 19, 2021, 7:53am

Yes, this the best way, add a metadata field to hold index name and avoid index it in doucments
Check an example here

Saravana37 · May 19, 2021, 8:21am

Sure @ylasri ,

I will check.

Thank you.

system · June 16, 2021, 8:21am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.