Dynamic index

wuwo1952368901 · October 26, 2018, 8:34am

I want to dynamic index from meassage nodename,but it's only show "%{[node_name]}" ,it's not my node_name. How can i config this?

filter {
grok {
match => {
"message"=>"#%{DATA:request_time}#%{DATA:node_name}#%{DATA:class_name}#%{DATA:log_level}#%{DATA:call_site}#%{DATA:line_number}#%{DATA:request_url}#%{DATA:request_method}#%{DATA:container_name}#%{DATA:action_name}#%{DATA:log_info}#%{DATA:exception}#%{DATA:ip}#%{DATA:form}#%{DATA:identity}" }
}
}

output{
elasticsearch{
hosts=>["127.0.0.1:9200"]
index=>"%{[node_name]}"

}

Christian_Dahlqvist · October 26, 2018, 8:45am

Is the grok expression working so that the field is actually extracted? If you look at the data in Elasticsearch, do you see a _grokparsefailure tag? If not, can you show us what anindexed document looks like?

wuwo1952368901 · October 26, 2018, 11:05am

When i use this ,it was ok
output{
elasticsearch{
hosts=>["127.0.0.1:9200"]
index=>"defult"
}
}

but use this,i can't see node_nam in Elasticsearch
output{
elasticsearch{
hosts=>["127.0.0.1:9200"]
index=>"%{[node_name]}"
}
}

Jenni · October 26, 2018, 11:12am

Well, you still haven't posted your indexed events ...

system · November 23, 2018, 11:12am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.