Wondering if i could create index based on the JSON fields dynamically in
Elasticsearch when Logstash forwards a JSON formatted message to
Elasticsearch.
For example:
Logstash forwards message in the following format:
"MONTH": [
[
"Jan"
]
],
"MONTHDAY": [
[
"9"
]
]
I wanted to create index based on MONTH and MONTHDAY in Elasticsearch. Could someone please help me out?
What i meant was could i create indexes based on MONTH and MONTHDAY
respectively at the same time.
On Tuesday, February 18, 2014 11:01:59 AM UTC+5:30, san wrote:
Wondering if i could create index based on the JSON fields dynamically in
Elasticsearch when Logstash forwards a JSON formatted message to
Elasticsearch.
For example:
Logstash forwards message in the following format:
"MONTH": [
[
"Jan"
]
],
"MONTHDAY": [
[
"9"
]
]
I wanted to create index based on MONTH and MONTHDAY in Elasticsearch. Could someone please help me out?
Keep in mind that ES index names can only be all lowercase (so you have to
lowercase the values first in LS). Try something like this (after
lowercasing the values first)?
You can specify the index name in the elasticsearch output: Elasticsearch output plugin | Logstash Reference [8.11] | Elastic
For example, let's say I have a field named clientip, I can make
indexes named ls-clientip by specifying something like this:
output {
elasticsearch {
host => "localhost"
index => "ls-%{clientip}"
}
}
How or where do you declare the variables such as %{clientip}?
They are fields in the message, often populated by a 'grok' filter.
Note that not all strings in Logstash configuration files support
%{variablename} interpolation. Where you can use such references
is unfortunately underdocumented.
--
Magnus Bäck | Software Engineer, Development Tools magnus.back@sonymobile.com | Sony Mobile Communications
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.