i have a logs from different packages,
for example,
com.example.package1.subpackage1.MyClass
com.example.package1.subpackage2.MyClass
com.example.package2.subpackage1.MyClass
com.example.package2.subpackage2.MyClass
i want to create index for package1 and package2,
at the current moment logstash configuration like this:
filter {
if "package1" in [logger_name] {
mutate {
add_tag => "package1"
}
}
if "package2" in [logger_name] {
mutate {
add_tag => "package2"
}
}
}
output {
if "package1" in [tags] {
elasticsearch {
index => "package1"
}
}
if "package2" in [tags] {
elasticsearch {
index => "package2"
}
}
}
But every time, when i add new package, i need restart logstash with new configuration, is it possible create more generic config?
Use a grok{} filter to pull the name out into a logstash field, and then you can reference that in the output{} stanza.