Different index output using ingest pipeline

alfianaf · October 11, 2021, 3:35am

Hello, I'm trying to use ingest pipeline to get different index output.
Here's my case: I have fluentd to hit input on Elasticsearch, fluentd make index input on Elasticsearch named as "app-write", I want to filter from the current source input.
here is glimpse of my index if I dont use any filter:

"_source": {
"kubernetes": {
"container_name": "iris-uat"
} }

I want to get different index output based on value from [kubernetes][container_name]. there is only two value on the current field, it is "iris-uat" and "iris".
Is there any way to get index output as "app-write-iris" and "app-write-iris-uat"?

Keep in mind that I didn't use logstash to filter the index because I'm having much trouble with it (such as overload input or else)

Any help is much appreciated
Thanks

warkolm · October 11, 2021, 4:04am

You could do something like this - Ingest pipelines | Elasticsearch Guide [7.15] | Elastic

alfianaf · October 11, 2021, 4:11am

I've seen the documentation, but I'm sorry I don't really understand how it will be implemented on my case

"processors": [
    {
      "pipeline": {
        "description": "If 'service.name' is 'apache_httpd', use 'httpd_pipeline'",
        "if": "ctx.service?.name == 'apache_httpd'",
        "name": "httpd_pipeline"
      }
    }

according to the example, can I just change the "name" to index name that I want?

warkolm · October 11, 2021, 4:15am

The name is the pipeline you want to use. So you'd need 3 pipelines;

The first one which figures out the container_name value
A pipeline for iris that sends to it's own index
A pipeline for iris-uat that sends to it's own index

alfianaf · October 11, 2021, 4:50am

from your explanation, I guess this is what I should do

Make pipeline named 'iris-rule' that have conditional to get container name
(if container name 'iris' go to 'iris' pipeline, and do so for 'iris-uat')
Make pipeline named 'iris' to just ingest input to 'iris' index
Make pipeline named 'iris-uat to just ingest input to 'iris-uat' index

cmiiw, sorry for bothering because I haven't try to make any pipeline before

alfianaf · October 11, 2021, 5:46am

I've created test pipeline based on your instructions, and It works perfectly, but I tried on reroute api, so I rerouted an index to a new index.
so for my case, should I state the pipeline rule's name on my index template to apply the pipeline automatically on document input?

Thanks in advance

warkolm · October 11, 2021, 5:47am

Ideally, yes.

alfianaf · October 11, 2021, 5:57am

thanks for the help, hope you have a nice day

system · November 8, 2021, 5:57am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.