Is it possible to change or indicate the stream(index) name like "index => "client-1-%{+dd.MM.YYYY}" when using fleet server and elastic agent in logstash output.
There are streams with default name like "logs-auditd.log-default"
You can change the DataStream's 3rd part, the Namespace, to specify a custom client name.
You can do it in Logstash, in case you needed to retrieve a client name from the Log itself
filter {
mutate {
update => { "[data_stream][namespace]" => "%{[client][name]}" }
}
}
Or directly in the fleet Integration if you are installing an agent for each client.
Hello @j0rj. Thanks for reply.
Do you know where I can add the date to the datastream.
Or is it possible to add like:
filter {
mutate {
update => { "[data_stream][namespace]" => "%{[client][name]}-%{+dd.MM.YYYY}" }
}
}
Adding the dates in here would affect how the ILM rollover works, as you will enforce a daily new index (regardless of it's size, can be 1Gb or 100GB) instead of letting ILM policy rollover action take care of that and be certain a new index will only be created when specific parameter is reached (size, docs, age...)
If you add it that way, and remove the Enrollment action from the ILM Policy Hot Phase, it might work fine for you, but needs to be tested if it cause any other issues that needs to be edit somewhere else as well.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.