Send email to different user based on some pattern in Logstash -

we can send email notification particular email address want send email different mailing address based on pattern in logs.

for example have 3 users email address

1. userone@something.com receives mail id log contains [useronemodule]
2. usertwo@something.com receives mail id log contains [usertwomodule]
3. userthree@something.com receives mail id log contains [userthreemodule

logstash version used 1.3.3 if possible in logstash or workaround achieve this.

this configuration, although both 'security' , 'portal' matches email sent one.

when keep 1 kind of logs security logs or portal logs works when keep both logs sends email 1 of it.

output {   if [module] == "security"{     email {     => "userone@somemail.com"     => "dummy2161@somemail.com"     match =>["%{message}","severity,error"]    subject => "error occured"     body => "%{message}"     via => "smtp"     options => {       starttls => "true"       smtpiporhost => "smtp.gmail.com"       port => "587"       username => "dummy2161@somemail.com"      password => "*******"        authenticationtype => "plain"     }   }  }  if [module] == "portal"{     email {     => "usertwo@somemail.com"     => "dummy2161@gmail.com"     match =>["%{message}","severity,error"]    subject => "error occured"     body => "%{message}"     via => "smtp"     options => {       starttls => "true"       smtpiporhost => "smtp.gmail.com"       port => "587"       username => "dummy2161@somemail      password => "*****"        authenticationtype => "plain"     }   }  } 

}

thanks

you can either store recipient email address in field (using conditionals or grok filters assign value) , refer field in email output's to parameter, or can wrap multiple email outputs in conditionals.

using field storing address:

filter {   # if module name same recipient address's local part   mutate {     add_field => { "recipient" => "%{modulename}@example.com" }   }    # otherwise might have use conditionals.   if [modulename] == "something" {     mutate {       add_field => { "recipient" => "someuser@example.com" }     }   } else {     mutate {       add_field => { "recipient" => "otheruser@example.com" }     }   } }  output {   email {     => "%{recipient}"     ...   } } 

wrapping outputs in conditionals:

output {   if [modulename] == "something" {     email {       => "someuser@example.com"       ...     }   } else {     email {       => "otheruser@example.com"       ...     }   } }