Hi , I'm trying to create an index for every application that we have in our company , like : index-app1 , index-app2 , we have a lot of team and every team is owner about theirs apps , so I'm trying that approach so be easily make filters , visualizations and so on. I have all the apps dockerized , and every docker have its own log file with the name of the app , ej app1.log , app2.log etc. So having say that I would like to take the filename and create the index with that. that is possible? or maybe another approach ?
If you are using a file input then every event will have a field called path that contains the path to the file. If the name of the file contains the app name then you can use a dissect or grok filter to extract the app name into another field. Then you can use a field reference to build the index name from that field.
index => "%{app}..."
That said, if this approach ends up causing you to have a large number of small indexes your performance will suffer from the overhead involved in managing a large number of shards.
Thanks Badger , if the performance get overheaded maybe i'm not getting the right solutions , maybe just adding a tag with the name of the app and sharing the same index could be better , How can I extract a text from a logstash field?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.