3

I have configured logstash to get input from one filebeat port. Filebeat configured with two different paths. is it possible to display logs to two different index?

Logstash input part:

input{
beats 
   {
     type => "stack"
     port => 5044
   }

Filebeat input part :

 prospectors:

  paths:
    - E://stack/**/*.txt
    - E://test/**/*.txt

Now i need to display "stack" in one index and "test" in other index. How to configure logstash output part?

Improve this question

1 Answer 1

Reset to default
1

What you can do is to use the knowledge of the type property in order to decide in which index to store the log being processed.

So your elasticsearch output could simply look like this, i.e. depending on the type value, the selected index will be different.

output {
 elasticsearch {
   hosts => ["localhost:9200"]
   manage_template => false
   index => "%{type}"
 }
}
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

The elastic guys don't encourage the use of type attribute and in addition it won't apply if you already have type field in your source (it doesn't override). So it's better to use tags or add_field instead.
@BornToCode that blog article is more recent than my answer, but yeah...

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.