Custom logstash index name output to ES

Brandon_Reeves · June 7, 2017, 5:08pm

We would like to create a custom index in ES using hostname, date, and a variable from a file if possible. Here is our current output

output {
elasticsearch {
hosts => "127.0.0.1"
index => "logstash-%{+YYYY.MM.dd}"
}
}

That works fine for creating logstash-date index. However we would like to create an index name logstash-(localhostname)-(variable)-(date). where localhostname is the local system name and variable is some string retrieved from another file or from within the logstash output configuration file.

So our ideal index would be: logstash-(localhost)-(string)-(todaysdate)

Can anyone please help. We cant seem to get this done.

Thanks

Christian_Dahlqvist · June 7, 2017, 6:37pm

You can reference other field names in the index name pattern, so as long as you have the relevant fields in your event it should be reasonably straightforward. A index naming scheme like you are suggesting could however result in a lot of very small indices and shards, which is very in efficient and tend to scale badly, so consider this before going down that path. There are numerous issues raised in this forum that can tracked down to users having too many small indices and shards.

system · July 5, 2017, 6:38pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Custom Index Name - Logstash Logstash	8	20203	July 6, 2017
Elasticsearch output - index name pattern Logstash	10	21162	July 6, 2017
Elastic search indices, what variables are available? Logstash	5	4086	July 6, 2017
Index name from log date not from system time Logstash	5	3319	September 14, 2017
IndexName with current date Logstash	3	19555	July 6, 2017

Custom logstash index name output to ES

Related topics