We used to store filebeat data from different sources in a different index due to storage size and document category using different ILM policies.
Now we can't do that because if we use ILM, we can't change the index name, so now all documents store on the same index and with the same ILM policy. That's a problem because there are policies with 1 week and others with a year that mage huge difference when it comes to storage.
Is there a way to change de data stream name for filebeat?
Hello Andrés,
You can change the ilm policy the filebeat is targeting:
With this the underling index and retention is also changed.
Hope this helps
Thanks @Shaoranlaos
May be I wasn't clear. We need to change index name.
The thing is that rollover_alias has been removed, so I see no way to change the index name from ILM policy.
In case somebody reads this,
Could be an option to set filebeat output to send events to logstash?
It seems possible to handle index name and ilm in a more flexible way form logstash than filebeat.
A solution might be to add a source or app id into the filebeat configuration for the input and the use logstash to split the sources into separate indices or streams, using IF / ELSE statements in Logstash.Output.
Here is a filebeat example that creates and writes to datastream filebeat-8.x.x-elastic-internal, index names are like .ds-filebeat-8.1.2-elastic-internal-2022.04.04-000001
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
setup.template.settings:
index.number_of_shards: 1
index.number_of_replicas: 0
setup.template.name: "filebeat-%{[beat.version]}-elastic-internal"
setup.template.pattern: "filebeat-%{[beat.version]}-elastic-internal*"
setup.ilm.enabled: true
setup.ilm.rollover_alias: "filebeat-%{[agent.version]}-elastic-internal"
setup.ilm.policy_name: "roll_daily_delete_30"
setup.kibana:
host: "https://...:5601"
output.elasticsearch:
hosts: ["https://...:9200"]
index: "filebeat-%{[agent.version]}-elastic-internal"
username: "..."
password: "..."
ssl.certificate_authorities: ["/etc/filebeat/..."]
ssl.certificate: "/etc/filebeat/..."
ssl.key: "/etc/filebeat/..."
processors:
- add_host_metadata: ~
- add_locale: ~
logging.to_files: true
logging.files:
path: /var/log/filebeat
name: filebeat
keepfiles: 7
permissions: 0644
monitoring.enabled: false
monitoring.cluster_uuid: ...
http.enabled: true
monitoring.elasticsearch:
setup.kibana.ssl.enabled: true
setup.kibana.ssl.certificate_authorities: ["/etc/filebeat/..."]
setup.kibana.ssl.certificate: "/etc/filebeat/..."
setup.kibana.ssl.key: "/etc/filebeat/..."
Edited, my ILM policy was incorrect, I fixed it and rollover is happening.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.