Dynamic index names

neilt · March 29, 2021, 10:36am

I've lifted the below pattern from the logstash docs and modified for my use case.

Deffo have a field service.region in my log messages that is populated with values dev1 dev2 or sit. But i am not seeing the indexes with [service][region] pattern being created.

Looking at debug logs it seems that my if statement seems always to drop to else clause .

Using ELK 7.12.0

What am I doing wrong ?

filter {
# we don't want these to go to the application log indexes
    if [service][region] in [ "dev1","dev2","sit" ] {
        mutate {
            add_field => { "[@metadata][target_index]" => "blade-logs-%{[service][region]}-%{+YYYY.MM.dd}" }
        }
    } else {
        mutate {
            add_field => { "[@metadata][target_index]" => "blade-logs-%{+YYYY.MM.dd}" } }
    }
    mutate {
        rename => {
            "message.index" => "message_index"
        }
    }
}

foo

output {
    elasticsearch {
        ....
        index => "%{[@metadata][target_index]}"
        ilm_enabled => false
    }
}

I get the logic around ILM managed indexes and naming as mentioned in previous answers.

system · April 26, 2021, 10:50am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Dynamic index names Logstash	6	2707	September 16, 2021
Split index in runtime Logstash	3	348	January 9, 2022
Dynamic index name Logstash	4	8408	July 6, 2017
Workaround to Dynamic Index Names When Ussing ILM Policy Logstash ilm-index-lifecycle-management	2	544	May 25, 2021
Logstash Dynamic Template and ILM Creation Logstash	5	492	September 24, 2020

Dynamic index names

Related topics