13 Oct
2016
13 Oct
'16
8:25 a.m.
On Thu, Oct 13, 2016 at 07:48:36AM +0200, Fabien Wernli wrote:
Hi Scot!
We use a single destination but set the ${__es_index} macro using rewrite rules:
elasticsearch2(index("${__es_index:-syslog}-$YEAR.$MONTH.$DAY"));
so for instance: destination d_elastic { elasticsearch2( ... index("${__es_index:-syslog}-$YEAR.$MONTH.$DAY") ); }; log { ... junction { channel { filter(f_foo); rewrite { set("foo", value("__es_index")); }; flags(final); }; channel { filter(f_bar); rewrite { set("bar", value("__es_index")); }; flags(final); }; }; destination(d_elastic); };