Logstash 1.2.1 config
Should add the log events to different elasticsearch indices based on the logsource field
output {
if [fields][logsource] =~ /^foobar/ {
# only server foobar01 and foobar1338
elasticsearch {
host => "<%= elasticsearch_host %>"
cluster => "my_es_cluster"
node_name => "logstash@<%= fqdn %>"
index => "foobar-%{+YYYY.MM.dd}"
}
} else {
# everything else
elasticsearch {
host => "<%= elasticsearch_host %>"
cluster => "my_es_cluster"
node_name => "logstash@<%= fqdn %>"
index => "logstash-%{+YYYY.MM.dd}"
}
}
}
I also tried any of the following:
[fields.logsource] =~ "^foobar" or [logsource] =~ /^foobar/ or [@fields.logsource] =~ /^foobar/ or [fields].[logsource] =~ /^foobar/