I have 2 directories and I want each one to be a different index in elasticsearch this is the .conf file
input {
stdin { type => "stdin-type"}
file{
path => "/home/falcoroot/development/falco/Jsons/**/*.json"
add_tag => ["post"]
start_position => "beginning"
sincedb_path => "/dev/null"
ignore_older => 0
}
file{
path => "/home/falcoroot/development/falco/Clasificados/**/*.json"
add_tag => ["class"]
start_position => "beginning"
sincedb_path => "/dev/null"
ignore_older => 0
}
}
output {
stdout {
codec=>dots
}
if "post" in [tags]{
elasticsearch {
hosts => "localhost"
index => "facebook"
document_type => "posts"
document_id => "%{id}"
}
}
if "class" in [tags]{
elasticsearch {
hosts => "localhost"
index => "clasificados"
document_type => "posts"
document_id => "%{id}"
}
}
Please if someone know what I'm doing wrong tell me, or tell me the correct way to create different index whit logstash
First of all, there is a curly bracket missing at the very end, but I guess that's just a copy problem. Instead of using tags why not use type like follows ... also, it is always a good idea to add a variable part like a date to the index name.
Another thing: in elasticsearch think of an "index" as a database and the "type" is like a table. Maybe you want to use the same index, but use different type ?
This config worked for me:
input {
stdin { type => "stdin-type"}
file{
path => "/home/falcoroot/development/falco/Jsons/**/*.json"
type => "facebook"
start_position => "beginning"
sincedb_path => "/dev/null"
ignore_older => 0
}
file{
path => "/home/falcoroot/development/falco/Clasificados/**/*.json"
type => "clasificados"
start_position => "beginning"
sincedb_path => "/dev/null"
ignore_older => 0
}
}
output {
stdout {
codec=>dots
}
if [type] in ["clasificados", "facebook"] {
elasticsearch {
hosts => ["localhost:9200"]
index => "%{type}_%{+YYYY.MM.dd}"
document_type => "posts"
document_id => "%{id}"
}
}
}