Collectd index name

Kernel_Panic · November 8, 2016, 6:21pm

Hi there guys

I'm configuring collectd to gather info from my docker containers, so far so good, but I'd like the to have a descriptive index name, now it's called like bellow, which was created automatically, I'd like to have something like collectd-DATE-FORMAT

yellow open %{[@metadata][beat]}-2016.11.08 5 1 86550 0 10.9mb 10.9mb

I created an input file like this:

    input {
      udp {
        port => 25826
        buffer_size => 1452
        codec => collectd { }
      }
    }

and got an output like this which works with filebeat and metricbeat:

cat 30-output.conf

output {
  elasticsearch {
    hosts => ["server-name"]
    sniffing => true
    manage_template => false
    index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
    document_type => "%{[@metadata][type]}"
  }
}

What am I missing
Thanks in advance
Regards

magnusbaeck · November 8, 2016, 7:55pm

If you set a type for your collectd event (e.g. type => "collectd" in your input declaration) you can add a conditional in your output block to choose between two elasticsearch output. One if it's a collectd message and another one for Beats messages. Or, name the index after the beat name if available and otherwise store the events elsewhere:

output {
  if [@metadata][beat] {
    elasticsearch {
      hosts => ["server-name"]
      sniffing => true
      manage_template => false
      index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
      document_type => "%{[@metadata][type]}"
    }
  } else {
    elasticsearch {
      hosts => ["server-name"]
      sniffing => true
      manage_template => false
      index => "collectd-%{+YYYY.MM.dd}"
      document_type => "collectd"
    }
  }
}

Kernel_Panic · November 8, 2016, 8:02pm

Thank you very much, very kind of U.
Regards

Kernel_Panic · November 8, 2016, 8:47pm

Hi,
I get this error when starting logstash, just copy/paste the example above, only replaced with the correct server name.

{:timestamp=>"2016-11-08T14:45:24.664000-0600", :message=>"Error: Expected one of #, if, ", ', } at line 43, column 25 (byte 985) after output {\n if [@metadata][beat] {", :level=>:error}

Thank you!

magnusbaeck · November 8, 2016, 9:39pm

There's a double opening brace on the second line. I've corrected the previously posted snippet.

Kernel_Panic · November 8, 2016, 11:35pm

Lotta thanks!!

system · December 6, 2016, 11:36pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.