Make logstash add different inputs to different indices

elasticsearch logstash
khebbie picture khebbie · Nov 26, 2014 · Viewed 24.3k times · Source

I have setup logstash to use an embedded elastisearch.
I can log events.
My logstash conf looks thus:
https://gist.github.com/khebbie/42d72d212cf3727a03a0

Now I would like to add another udp input and have that input be indexed in another index.

Is that somehow possible? I would do it to make reporting easier, so I could have system log events in one index, and business log events in another index.

Answer

Magnus Bäck picture Magnus Bäck · Nov 26, 2014

Use an if conditional in your output section, based on e.g. the message type or whatever message field is significant to the choice of index.

input {
  udp {
    ...
    type => "foo"
  }
  file {
    ...
    type => "bar"
  }
}

output {
  if [type] == "foo" {
    elasticsearch {
      ...
      index => "foo-index"
    }
  } else {
    elasticsearch {
      ...
      index => "bar-index"
    }
  }
}

Or, if the message type can go straight into the index name you can have a single output declaration:

elasticsearch {
  ...
  index => "%{type}-index"
}

Related questions

How to retrieve unique count of a field using Kibana + Elastic Search

Is it possible to query for a distinct/unique count of a field using Kibana? I am using elastic search as my backend to Kibana. If so, what is the syntax of the query? Heres a link to the Kibana …

Read More
Export to csv/excel from kibana

I am building a proof of concept using Elasticsearch Logstash and Kibana for one of my projects. I have the dashboard with the graphs working without any issue. One of the requirements for my project is the ability to download …

Read More
Redis Vs RabbitMQ as a data broker/messaging system in between Logstash and elasticsearch

We are defining an architecture to collect log information by Logstash shippers which are installed in various machines and index the data in one elasticsearch server centrally and use Kibana as the graphical layer. We need a reliable messaging system …

Read More