johann
February 26, 2019, 2:29pm
1
Hi,
if I have an beats input from journalbeat to logstash, how can I use the index which is already set?
The beats input is coming from journalbeat -> logstash -> elasticsearch.
Journalbeat output: output.logstash with index option.
Is there a way to set this index from journalbeat if there is any?
For example:
if [input] == journalbeat {
if isset [index] {
// keep index
} else {
index => "notset-%{+YYYY.MM.dd}"
}
}
Thanks in advance!
Cheers,
johann
Badger
February 26, 2019, 2:42pm
2
That should be
if ! [index] {
mutate { add_field { index => "notset-%{+YYYY.MM.dd}" } }
}
johann
February 26, 2019, 2:58pm
3
Thank you, the problem is, the logstash output.elasticsearch sets an default index ( * Default value is "logstash-%{+YYYY.MM.dd}"), if the index option is not set... (https://www.elastic.co/guide/en/logstash/current/plugins-outputs-elasticsearch.html#plugins-outputs-elasticsearch-index )
So something like
output {
[...]
else if [_index] {
elasticsearch {
hosts => "elasticsearch:9200"
index => [_index]
}
}
should be necessary
Badger
February 26, 2019, 3:00pm
4
I am suggesting you add that in the filter so that index is always set when you get to the output.
johann
February 26, 2019, 3:23pm
5
Isn't the index is set by journalbeat already if I use the journalbeat output.logstash?https://www.elastic.co/guide/en/beats/journalbeat/6.7/logstash-output.html#logstash-index correct
Badger
February 26, 2019, 3:28pm
6
RIght, that's why I made adding index conditional upon index not being set.
johann
February 26, 2019, 4:08pm
8
Unfortunately the following is not working index, it works as aspected...
output {
[...]
else if [index] or [_index] {
elasticsearch {
hosts => "host"
index => "auto-%{index}"
}
}
}
system
March 26, 2019, 4:08pm
9
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
If I use an other field than