Hi,
I've seen the notation in the output part of logstash to put %{+YYYY.MM.dd} to name the index, for instance:
output {
elasticsearch {
hosts => ["host1:9200"]
index => "prefix-%{+YYYY.MM.dd}"
user => elastic
password => changeme
}
}
can i store the YYYY part in a field? for instance:
mutate { add_field => { "[@metadata][year]" => "+YYYY" }
thanks
You would need to use a sprintf reference, just as in the elasticsearch index option. I would expect
mutate { add_field => { "[@metadata][year]" => "%{+YYYY}" }
to work. If you are using a date filter then make sure you put the mutate before the date filter if you really want the current year (year it is processed in) rather than the year that the line was logged at.
thanks Badger, i guess i can do something like this as well?
mutate { add_field => { "[@metadata][date_part]" => "%{+YYYY.MM}" }
mutate { add_field => { "[@metadata][date_part]" => "%{+YYYY.MM.dd}" }
what i try to do is in the output instead of putting an if and several elasticsearch output plugin, i could use just one like:
output {
elasticsearch {
hosts => ["host1"]
user => '${es_usr}'
password => '${es_pwd}'
index => "%{[@metadata][prefix]}-%{[@metadata][date_part]}"
}
}
then some indexes are stored in daily way others weekley others monthly and changing [@metadata][date_part] i get it more generic and less repetitions of elasticsearch {....} in the output.
I tested it and worked great!
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.