I am trying to create index names with minute resolution since I am still experimenting with ELK and would like to see the effect of various changes in my logstash filter, without having to delete an existing filter (and without overwriting the previous one that was created minutes ago). So I have been trying the following index naming schema, but it seems that Elastic/logstash doesn't like it:
That is, for index => "CPU-over-time-%{+YYYY.MM.dd}-%{+HH.mm}" it will generate an index named CPU-over-time-. i.e. without the timestamp appended to it.
Why? Is there a way around this to accomplish what I want?
@Badger Thanks for your reply. My problem is not with 'filter' but rather with 'output'. More precisely, the index name part of 'output'. I edited my question above to clarify what I am getting for index name.
That is, for index => "CPU-over-time-%{+YYYY.MM.dd}-%{+HH.mm}" it will generate an index named CPU-over-time- . i.e. without the timestamp appended to it.
Exactly the same interpolation evaluation function is used in both situtations, so if it works in one it will work in the other. If the entire sprintf refence is missing that suggests that you have removed the [@timestamp] field from the message before sending it to the output.
@Badger You are right, I did remove the [@timestamp] field from the message before sending it to the output. Thanks for the amazing pinpointing diagnosis.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.