Create custom index using custom mapping field via logstash

Aner_Izraeli · October 30, 2017, 11:42am

Hello there,
im using logstash with matching my custom fields via multigrok.conf.
example:

match => { "message" => "(?<log_type>AUTORUN) (?.*?)|%{IPORHOST:machineName}|%{DATA:userName}|%{DATA:domainname}|%{DATA:os}|%{IPORHOST:machineName2}|%{IP:ipaddress}|%{DATA:keyName}|%{DATA:keyData}|%{WORD:hash}|%{WORD:keyType}" }

currently my index created under logstash-*

can i automatically create a custom index using one of the custom matching fields in my multigrok.conf? 'domainname' for instance?

output {
elasticsearch {
hosts => [ "https://cloud/" ]
#index => "domainname"

tried and did not work.
Thanks!

paz · October 30, 2017, 11:48am

You need to reference the field properly (as it is, it's just a string value).

output {
  elasticsearch {
     hosts => [ "https://cloud/" ]
     index => "%{domainname}"
  }
}

Aner_Izraeli · October 30, 2017, 1:18pm

Thanks!
should i create an index pattern of *?
should i change anything at "advanced settings"?

paz · October 30, 2017, 1:28pm

You shouldn't really need to change any advanced settings for it to work.
Those are usually for specific use-cases or performance tuning. If it works nicely for you, I'd say don't do so (unless you want to experiment).

As for the index pattern, it's just a matter of preference. If you want your indices to be named just based on the domain name, or append a prefix or anything. There is no set rule on this.

Aner_Izraeli · October 30, 2017, 2:07pm

Hmmm ok
but if so, my only index i have is logstash-*
via kibana`s discover i really cant search other index since logstash-* is the only option.

paz · October 30, 2017, 2:21pm

Oh I thought you meant in Logstash configuration.
For Kibana to discover your indices you do need to set an index pattern of * (as in "fetch everything").

Aner_Izraeli · October 30, 2017, 2:40pm

Yeah just did and it works great!
Thank you very much!

Aner_Izraeli · October 30, 2017, 2:56pm

Hii again,
so a new _index was created. new index name is "aner-new-index"
i can see it in my events via discover.
now i want to grant a user priv based on that new index.
however, the only indices i have are * and logstash-*
cant see "aner-new-index". whats missing here?

system · November 27, 2017, 2:57pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.