使logstash将不同的输入添加到不同的索引 [英] Make logstash add different inputs to different indices

问题描述

我已经设置了logstash以使用嵌入式elastisearch.
我可以记录事件.
我的logstash conf看起来如下:
https://gist.github.com/khebbie/42d72d212cf3727a03a0

I have setup logstash to use an embedded elastisearch.
I can log events.
My logstash conf looks thus:
https://gist.github.com/khebbie/42d72d212cf3727a03a0

现在，我想添加另一个udp输入，并在另一个索引中对该输入进行索引.

Now I would like to add another udp input and have that input be indexed in another index.

这有可能吗? 我这样做是为了使报告更加容易，因此我可以在一个索引中包含系统日志事件，而在另一个索引中包含业务日志事件.

Is that somehow possible? I would do it to make reporting easier, so I could have system log events in one index, and business log events in another index.

推荐答案

在输出部分中使用if条件，例如，消息类型或任何对选择索引有意义的消息字段.

Use an if conditional in your output section, based on e.g. the message type or whatever message field is significant to the choice of index.

input {
  udp {
    ...
    type => "foo"
  }
  file {
    ...
    type => "bar"
  }
}

output {
  if [type] == "foo" {
    elasticsearch {
      ...
      index => "foo-index"
    }
  } else {
    elasticsearch {
      ...
      index => "bar-index"
    }
  }
}

或者，如果消息类型可以直接进入索引名称，则可以有一个输出声明:

Or, if the message type can go straight into the index name you can have a single output declaration:

elasticsearch {
  ...
  index => "%{type}-index"
}

这篇关于使logstash将不同的输入添加到不同的索引的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！