Conditional rollover in elasticsearch output

Hello - In Filebeat, how do i specify conditional custom rollover index names in the Elasticsearch output block?

psuedo: when tag = "indexa" write events to the ilm.rollover_alias:"indexa", but when tag = "indexb" write events to the ilm.rollover_alias:"indexb"

I guess you can use when condition

output.elasticsearch:
  hosts: ["http://localhost:9200"]
  indices:
    - index: "warning-%{[agent.version]}-%{+yyyy.MM.dd}"
      when.contains:
        message: "WARN"
    - index: "error-%{[agent.version]}-%{+yyyy.MM.dd}"
      when.contains:
        message: "ERR"

I knew someone was going to respond with a copy/paste from the documentation.

Forgive me if i am wrong, but i specifically asked for conditional rollover configuration.

If you create the two rollover indices and replace the index pattern in the example given with the write aliases and set the tag in the when condition, does it not work (have not tried)?

Hello, i gave it a whirl, so far no luck..

filebeat.inputs:

# Each - is an input. Most options can be set at the input level, so
# you can use different inputs for various configurations.
# Below are the input specific configurations.
- type: udp
  host: "10.0.101.15:10514"
  tags: ["voice"]
  fields:
    type: "voice"

- type: udp
  host: "10.0.101.15:10515"
  tags: ["viprinet"]
  fields:
    type: "viprinet"

- type: udp
  host: "10.0.101.15:10516"
  tag: ["smb1"]
  fields:
    type: "smb1"


#================================ Outputs =====================================

# Configure what output to use when sending the data collected by the beat.
setup.ilm.enabled: true
#setup.ilm.policy_name: "%{[fields.type]}"
#setup.ilm.rollover_alias: "%{[fields.type]}"
#setup.ilm.pattern: "%{[fields.type]}-{now/d}-000001"
setup.ilm.overwrite: true
setup.template.name: "%{[fields.type]}"
setup.template.pattern: "%{[fields.type]}-*"
setup.template.overwrite: true

#-------------------------- Elasticsearch output ------------------------------
output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["localhost:9200"]
  indices:
    - index: "voice"
      when.contains:
        fields.type: "voice"
    - index: "viprinet"
      when.contains:
        fields.type: "viprinet"

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.