Hi. I'm struggling to separate log inputs by using indices in Filebeat, which sends its data to elasticsearch from docker containers. It creates an index with a default name. I tried to use setup.ilm.enabed: false to disable lifecycle management and it didn't help. What am I doing wrong? My ELK stack is 7.3 and I can't use logstash.
setup.ilm.enabled: false
#============================= Docker ========================================
filebeat.autodiscover:
providers:
- type: docker
templates:
- condition:
regexp:
docker.container.image: myapp
config:
- type: container
paths:
- /var/lib/docker/containers/${data.docker.container.id}/*.log
#============================= Filebeat modules ===============================
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: true
#==================== Elasticsearch template setting ==========================
setup.template.settings:
index.number_of_shards: 1
#-------------------------- Elasticsearch output ------------------------------
output.elasticsearch:
hosts: ["elksrv:9200"]
ilm.enabled: false
protocol: "http"
username: "elastic"
password: "changeme"
indices:
- index: "myapp"
when.contains:
docker.container.image: "myapp"
setup.template.name: "notif5"
setup.template.pattern: "notif5-*"
processors:
- add_host_metadata: ~
- add_cloud_metadata: ~
- add_docker_metadata: ~
(commented parts of the conf file is omitted)