khebbie
Reputation: 2503
Make logstash add different inputs to different indices
I have setup logstash to use an embedded elastisearch.
I can log events.
My logstash conf looks thus:
https://gist.github.com/khebbie/42d72d212cf3727a03a0
Now I would like to add another udp input and have that input be indexed in another index.
Is that somehow possible? I would do it to make reporting easier, so I could have system log events in one index, and business log events in another index.
Upvotes: 11
Views: 28873
Answers (1)
Magnus Bäck
Reputation: 11571
Use an if conditional in your output section, based on e.g. the message type or whatever message field is significant to the choice of index.
input {
udp {
...
type => "foo"
}
file {
...
type => "bar"
}
}
output {
if [type] == "foo" {
elasticsearch {
...
index => "foo-index"
}
} else {
elasticsearch {
...
index => "bar-index"
}
}
}
Or, if the message type can go straight into the index name you can have a single output declaration:
elasticsearch {
...
index => "%{type}-index"
}
Upvotes: 52
Related Questions
- Logstash content based filtering, into multiple indexs
- Injecting json string into different Elasticsearch indices using Logstash
- multiple inputs on logstash jdbc
- Indexing multiple indexes in elastic search at the same time
- Logstash output different fields to different elastic search indices
- Config logstash: multiple input
- One Logstash to Multiple Elasticsearch Indexes with CertainFields
- logstash elastic search output configuration based on inputs
- logstash configuration with variable index name for elasticsearch
- separate indexes on logstash