Custom logstash index name output to ES

Brandon_Reeves · June 7, 2017, 5:08pm

We would like to create a custom index in ES using hostname, date, and a variable from a file if possible. Here is our current output

output {
elasticsearch {
hosts => "127.0.0.1"
index => "logstash-%{+YYYY.MM.dd}"
}
}

That works fine for creating logstash-date index. However we would like to create an index name logstash-(localhostname)-(variable)-(date). where localhostname is the local system name and variable is some string retrieved from another file or from within the logstash output configuration file.

So our ideal index would be: logstash-(localhost)-(string)-(todaysdate)

Can anyone please help. We cant seem to get this done.

Thanks

Christian_Dahlqvist · June 7, 2017, 6:37pm

You can reference other field names in the index name pattern, so as long as you have the relevant fields in your event it should be reasonably straightforward. A index naming scheme like you are suggesting could however result in a lot of very small indices and shards, which is very in efficient and tend to scale badly, so consider this before going down that path. There are numerous issues raised in this forum that can tracked down to users having too many small indices and shards.

system · July 5, 2017, 6:38pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.