Creating index depends on source

A_B · February 5, 2019, 8:35am

Hi @Kanthasamyraja,
To achieve this I have done the following.

In Filebeat I set some fields like

- type: log
  paths:
    - /var/log/sensu/*.log
  encoding: plain
  fields:
    log_prefix: dc
    log_idx: sensu-logs
  fields_under_root: false

In Logstash I create @metadata fields based on these.

# Adding @metadata needed for index sharding to Filebeat logs
mutate {
  copy => {
   "[fields][log_prefix]" => "[@metadata][log_prefix]"
   "[fields][log_idx]" => "[@metadata][index]"
  }
}

And my Elasticsearch output if Logstash can then be just

  elasticsearch {
        hosts => ["10.1.1.1:9200", "10.1.1.2:9200", "10.1.1.3:9200"]
        index => "%{[@metadata][log_prefix]}-%{[@metadata][index]}-%{+YYYY.MM.dd}"
  }

You can drop one of the @metadata fields if you just need the one "switch".

Hope that helps,
AB

Topic		Replies	Views
Create Multiple Indexes from filebeat Logstash	3	1530	September 30, 2021
Set index depending on hostname/custom field Logstash	3	3767	January 10, 2018
Problem creating index Beats filebeat	7	573	May 25, 2020
Output to different index based on field Logstash	12	3201	February 5, 2022
Beat not creating index the right way after change output from elasticsearch to logstash Logstash	1	333	October 23, 2020

Creating index depends on source

Related topics