Logstash configuration condition

0
votes

i am new to Logstash, elasticsearch.

I have NodeJS app, where i am sending logs trough Winston:Redis. I have different types of logs, like Requests, system, etc. And i want these logs to be in separate index_type inside ElasticSearch.

I am sending these keys fe. : "web:production:request", "web:production:system" and im sending JSON obejcts.

My configuration is:

NodeJS (Winston Redis client) -> Redis -> Logstash -> Elastic search

Its working good, except index_types.

I have 1 redis client (stream/subcribe) and i want to filter these logs depending on key value to different index_types inside elastic search output.

I tried this config:

input {
    redis {
        host => "127.0.0.1"
        data_type => "pattern_channel"
        key => "web:production:*"
        codec => json
    }

filter {
    if [key] == "web:production:request" {
        alter {
            add_field => { "index_type" => "request" }
        }
    }

    if [key] == "web:production:system" {
        alter {
            add_field => { "index_type" => "system" }
        }
    }
}

output {
    elasticsearch {
        index => "web-production-%{+YYYY.MM.dd}"
        index_type => "%{index_type}"
        # THIS IS NOT WORKING
        protocol => "http"
    }
}

So questions are:

  1. How do conditionals right ?

  2. How would you proceed if you want to send different indexes depending on conditions

  3. I cannot have condition inside command ? fe. grok { if [key] == "1" {} } ?

1
elasticsearchconditionallogstash
What is it inserting into ES or are you getting some sort of error? - Alcanzar

1 Answers

0
votes

suggestion for a workaround:

output {
  if [index_type] == "request"{
    elasticsearch {
      index => "web-production-request%{+YYYY.MM.dd}"
      protocol => "http"
    }
  }
  if [index_type] == "system"{
    elasticsearch {
      index => "web-production-system%{+YYYY.MM.dd}"
      protocol => "http"
    }
  }
}