Can't specify custom index name in Filebeat

Hi. I'm struggling to separate log inputs by using indices in Filebeat, which sends its data to elasticsearch from docker containers. It creates an index with a default name. I tried to use setup.ilm.enabed: false to disable lifecycle management and it didn't help. What am I doing wrong? My ELK stack is 7.3 and I can't use logstash.

setup.ilm.enabled: false

#============================= Docker ========================================
filebeat.autodiscover:
providers:
- type: docker
templates:
- condition:
regexp:
docker.container.image: myapp
config:
- type: container
paths:
- /var/lib/docker/containers/${data.docker.container.id}/*.log

#============================= Filebeat modules ===============================

filebeat.config.modules:

path: ${path.config}/modules.d/*.yml
reload.enabled: true

#==================== Elasticsearch template setting ==========================
setup.template.settings:
index.number_of_shards: 1

#-------------------------- Elasticsearch output ------------------------------
output.elasticsearch:
hosts: ["elksrv:9200"]
ilm.enabled: false

protocol: "http"
username: "elastic"
password: "changeme"
indices:

  • index: "myapp"
    when.contains:
    docker.container.image: "myapp"

setup.template.name: "notif5"
setup.template.pattern: "notif5-*"

processors:

  • add_host_metadata: ~
  • add_cloud_metadata: ~
  • add_docker_metadata: ~
    (commented parts of the conf file is omitted)

can you re-post using pre-formatted text to help reading the config file?

also the issue is not clear to me, are you having problems creating a custom index name with filebeat, or having issues disabling or enabling ILM?

Yes, I'm having problems creating a custom index with filebeat. To do that I need to disable ILM via filebeat config and for some reason, I can't.

For disabling ILM, one thing I notice is that your config file includes ilm.enabled: false when it should probably be setup.ilm.enabled: false

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.