Hello, I could use some help with dynamic indexes. I would like to create separate Filebeat indexes for a specific module, e.g. cisco.
Steps I took:
- Added a "when.equals" condition to my elastic output in filebeats.yml.
- Restarted filebeat (also ran a
filebeat setup). - Realised I did things out of order: missed creating the index template and bootstrapping (which I'm still foggy on as my subsequent attempts didn't work either).
indices:
- index: "filebeat-%{[agent.version]}-cisco-%{+yyyy.MM.dd}"
when.equals:
event.module: "cisco"
This seemed to work, it created my new index just fine, but it had two issues:
- The ILM complained about aliases.
- It didn't append an increment to the index; *-000001, for example.
I've since created an index pattern to match "filebeat-7.14.0-cisco", with the following alias setting:
"index": {
"lifecycle": {
"name": "filebeat",
"rollover_alias": "filebeat-7.14.0-cisco"
This is not working, as those of you who have this stuff figured out have probably guessed. I'll spare more detail, for now, to avoid providing useless information. Please let me know if anything is missing that would be helpful.
Can anyone provide guidance on the proper steps that need to be taken to accomplish having a module in its own sub-index, and still take advantage of ILM and rollover dynamically?