Custom logstash index name output to ES

Brandon_Reeves · June 7, 2017, 5:08pm

We would like to create a custom index in ES using hostname, date, and a variable from a file if possible. Here is our current output

output {
elasticsearch {
hosts => "127.0.0.1"
index => "logstash-%{+YYYY.MM.dd}"
}
}

That works fine for creating logstash-date index. However we would like to create an index name logstash-(localhostname)-(variable)-(date). where localhostname is the local system name and variable is some string retrieved from another file or from within the logstash output configuration file.

So our ideal index would be: logstash-(localhost)-(string)-(todaysdate)

Can anyone please help. We cant seem to get this done.

Thanks

Christian_Dahlqvist · June 7, 2017, 6:37pm

You can reference other field names in the index name pattern, so as long as you have the relevant fields in your event it should be reasonably straightforward. A index naming scheme like you are suggesting could however result in a lot of very small indices and shards, which is very in efficient and tend to scale badly, so consider this before going down that path. There are numerous issues raised in this forum that can tracked down to users having too many small indices and shards.

system · July 5, 2017, 6:38pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Elasticsearch output - index name pattern Logstash	10	21149	July 6, 2017
Elastic search indices, what variables are available? Logstash	5	4086	July 6, 2017
IndexName with current date Logstash	3	19541	July 6, 2017
Generate dynamic date for ES Index Logstash	5	2630	July 6, 2017
Logstash output Indexname with old Date Logstash	6	10962	April 12, 2018

Custom logstash index name output to ES

Related Topics