使 logstash 为不同的索引添加不同的输入 [英] Make logstash add different inputs to different indices

问题描述

我已经设置了 logstash 以使用嵌入式 elasticsearch.
我可以记录事件.
我的 logstash conf 看起来是这样的:
https://gist.github.com/khebbie/42d72d212cf3727a03a0

I have setup logstash to use an embedded elastisearch.
I can log events.
My logstash conf looks thus:
https://gist.github.com/khebbie/42d72d212cf3727a03a0

现在我想添加另一个 udp 输入并将该输入编入另一个索引中.

Now I would like to add another udp input and have that input be indexed in another index.

这有可能吗?我这样做是为了让报告更容易，所以我可以在一个索引中包含系统日志事件，而在另一个索引中包含业务日志事件.

Is that somehow possible? I would do it to make reporting easier, so I could have system log events in one index, and business log events in another index.

推荐答案

在输出部分使用 if 条件，例如基于消息类型或任何消息字段对索引的选择很重要.

Use an if conditional in your output section, based on e.g. the message type or whatever message field is significant to the choice of index.

input {
  udp {
    ...
    type => "foo"
  }
  file {
    ...
    type => "bar"
  }
}

output {
  if [type] == "foo" {
    elasticsearch {
      ...
      index => "foo-index"
    }
  } else {
    elasticsearch {
      ...
      index => "bar-index"
    }
  }
}

或者，如果消息类型可以直接进入索引名称，您可以有一个输出声明:

Or, if the message type can go straight into the index name you can have a single output declaration:

elasticsearch {
  ...
  index => "%{type}-index"
}

这篇关于使 logstash 为不同的索引添加不同的输入的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！