Hello All ,
I want to re-use the config lines in output logstash as shown below. I am using if condition but is throwing some error. Please help me out.
output {
elasticsearch
{
hosts => ["https://XXXXXnet:8200"]
user => "${es_usr}"
password => "${es_pwd}"
if "RequestRouter" in [source] and "VAGAPIEMEA" in [InterfaceName]
{
index => "prodsrvrlog-reqrouter-vagapi-%{log_day}"
}
else if "RequestRouter" in [source]
{
index => "prodsrvrlog-reqrouter-%{log_day}"
}
else if "FleetboardListener" in [source]
{
index => "api_fleet_list-%{log_day}"
}
else if "SComm" in [source]
{
index => "scomm-%{log_day}"
}
else if "metric" in [fields][type]
{
index => "metricbeat-%{+YYYY.MM.dd}"
}
else if "PROD" in [fields][env]
{
index => "prodsrvrlog-%{log_day}"
}
else
{
index => "otherdata-%{+YYYY.MM.dd}"
}
ssl => true
ssl_certificate_verification => false
cacert => "E:\ELK\ODForESearch\config\chain.pem"
ilm_enabled => false
document_id => "%{[fingerprint]}"
}
You can use a filter to define a variable like my_index_index. Then you can reuse the same output plugin.
index => "%{my_index_name}"
AFAIK you can not split up an output plugins like that. It would also be easier to help you if you would actually show the error message.
Hello @oscark ,
This is the error message i am getting
[2021-05-19T09:32:39,609][INFO ][logstash.runner ] Starting Logstash {"logstash.version"=>"6.8.4"}
[2021-05-19T09:32:41,032][ERROR][logstash.agent ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of #, => at line 223, column 16 (byte 5047) after output {\r\n \r\n\r\n\t\t\r\nelasticsearch \r\n {\r\n hosts => [\"https://XXXXtra.net:8200\"]\r\n user => \"${es_usr}\"\r\n password => \"${es_pwd}\"\r\n if ", :backtrace=>["E:/ELK/logstash/logstash-core/lib/logstash/compiler.rb:41:in `compile_imperative'", "E:/ELK/logstash/logstash-core/lib/logstash/compiler.rb:49:in `compile_graph'", "E:/ELK/logstash/logstash-core/lib/logstash/compiler.rb:11:in `block in compile_sources'", "org/jruby/RubyArray.java:2577:in `map'", "E:/ELK/logstash/logstash-core/lib/logstash/compiler.rb:10:in `compile_sources'", "org/logstash/execution/AbstractPipelineExt.java:151:in `initialize'", "E:/ELK/logstash/logstash-core/lib/logstash/pipeline.rb:22:in `initialize'", "E:/ELK/logstash/logstash-core/lib/logstash/pipeline.rb:90:in `initialize'", "E:/ELK/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:43:in `block in execute'", "E:/ELK/logstash/logstash-core/lib/logstash/agent.rb:96:in `block in exclusive'", "org/jruby/ext/thread/Mutex.java:165:in `synchronize'", "E:/ELK/logstash/logstash-core/lib/logstash/agent.rb:96:in `exclusive'", "E:/ELK/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:39:in `execute'", "E:/ELK/logstash/logstash-core/lib/logstash/agent.rb:334:in `block in converge_state'"]}
And @oscark ,
Do i have to use mutate filter like this in the filter section ? , Then again i believe no of lines are increasing .
if “RequestRouter” in [source] and “VAGAPIEMEA” in [InterfaceName]
{
mutate {
add_field => {
“myindex” => “prodsrvrlog-reqrouter-vagapi-%{log_day}”
}
}