Trying to use the value of a field in the index name for the output to Elastic Cloud caused this error
{"type":"invalid_index_name_exception","reason":"Invalid index name [winlogbeat-Microsoft-Windows-TaskScheduler-6.2.4-2018.08.22], must be lowercase
Is there a way to convert the field name to lower case to be used?
index: "winlogbeat-%{[source_name]}-%{[beat.version]}-%{+yyyy.MM.dd}"When researching this issue I found an existing ticket open about it. https://github.com/elastic/beats/issues/6342 Feel free to comment on the existing issue.
IMO I think adding a lowercase processor would make sense.
As a workaround, I think you might be able use an Ingest Node pipeline. I think an ingest node pipeline can modify the _index value so you could dynamically set the value in the pipeline after lowercasing the value. Once you have the pipeline setup and tested then set output.elasticsearch.pipeline to point Winlogbeat at the pipeline.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.