What is the logserver supported method to send data of a certain type to another index?
We tried adding an if statement to the output section, but we found when we did this that data was being written to the default logstash-YYYY.MM.dd index and the syslog-YYYY.MM.dd index we created.
This looks to be happening because of the way logserver puts the default output entry into the configuration file.
Just to be clear - you are trying to accept logs into Logstash from some remote sender, and after accepting those logs you want to output them to a particular Elasticsearch index? Is that correct? Or are you trying to output them to a different external device?
TwitsBlog Show me a man who lives alone and has a perpetually clean kitchen, and 8 times out of 9 I'll show you a man with detestable spiritual qualities.
After re-creating your setup, I am seeing the same results on my cluster. I haven't found a way to delete the replicate data left behind by the first output. The only way that I can imagine doing it is by adding an 'if' statement to the original output configuration (if type = syslog action = delete) to see if that resolves it. Since the file is generated dynamically, this will not work. I have made a note to continue testing this tomorrow morning.
TwitsBlog Show me a man who lives alone and has a perpetually clean kitchen, and 8 times out of 9 I'll show you a man with detestable spiritual qualities.
Right now, it does not look like multiple outputs are possible without data duplication.
TwitsBlog Show me a man who lives alone and has a perpetually clean kitchen, and 8 times out of 9 I'll show you a man with detestable spiritual qualities.
I have confirmed with development that it may not ever be possible for data to not hit the default index. Unfortunately you'll either need to concatenate your data into the default index, or duplicate the data.
Best,
Jesse
TwitsBlog Show me a man who lives alone and has a perpetually clean kitchen, and 8 times out of 9 I'll show you a man with detestable spiritual qualities.