Hi All,
I am using ELK 6.8.0 and I want to add the beat version to the indexname I have configured in an Logstash output. I have configured it currently like this
clog-%{[beat][version]}-%{+YYYY.MM.dd}
But that gives me an index name of
clog-%{[beat][version]}-2019.11.08
How do I access those fields in the document?
Should be something like this :
"%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
atleast it works for me 
Yeah I have tried that to but that doesn't work either..I do not have @metadata fields.
{
"tags" => [
[0] "dovecot",
[1] "MC",
[2] "beats_input_codec_plain_applied"
],
"host" => "name",
"source" => "/var/log/dovecot/info.log",
"message" => "full message",
"source_affiliate" => "ukmail",
"prospector" => {
"type" => "log"
},
"beat_used" => "true",
"offset" => 34120721,
"@version" => "1",
"@timestamp" => 2019-11-08T08:26:21.688Z,
"beat" => {
"version" => "6.2.4",
"hostname" => "name",
"name" => "name.local"
}
}Have you tried to Grok Match the Beat Name from the Plain Log? And simply use the fieldname in which you put the Value In the Indexname? I don't really know the format of your logs so i can't just paste random stuff in here.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.