0

Is the below Logstash.conf file format correct? If not please let me know where I am wrong. Based on the log file path(inbuilt key) I want to change the index to another

input {
  beats {
    port => 5044
  }
}
filter {
  grok {
    match => {"message" => "%{TIME:timestamp} \[%{DATA:type}\] %{LOGLEVEL:log-level} %{DATA:app_task}- %{GREEDYDATA:msg_data}"}
  }
  mutate {
    remove_field => [ "[host]" ]
  }
}

output {
  stdout {codec => rubydebug}
  if ["log.file.path"] == "/a/b/c/d/e.log" {
    elasticsearch {
      hosts => ["http://localhost:9200"]
      index => "abc"
   }
}
  else {
    elasticsearch {
      hosts => ["http://localhost:9200"]
      index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
}
}
}
Saishantan goli
  • 1
  • You need to provide more details about your problem. But your configuration is wrong, you need to use `[log][file][path]` not `log.file.path`. – leandrojmp Mar 30 '21 at 13:09
  • Logstash version is 7.11.2 and file beats version is 7.10.1, this is my key in Kibana which I want to check "log.file.path". please let me know what all you need – Saishantan goli Mar 30 '21 at 13:28
  • I do not understand what the problem is. The configuration is wrong, you should use `[log][file][path]`, not `log.file.path`, `[log][file]path]` is the json object created by filebeat with the path for the log file. What is not working? What you expect to see and what are you seeing? You need to provide more information of what you want to do and what is not working. – leandrojmp Mar 30 '21 at 13:42
  • Adding [log][file]path] worked, and logs were going to proper indexes. Thank you – Saishantan goli Mar 30 '21 at 14:05
  • @leandrojmp Can you kindly add your comments as an answer so that OP can accept it as the answer. Would help the people who might refer this question later. – Sandun Apr 15 '21 at 14:19

0 Answers0