Elasticsearch output - index name pattern

zombie101 · December 4, 2015, 11:45pm

The elasticsearch output takes a setting for the index name, with a default of 'logstash-YYYY.MM.dd'. Where does the 'YYYY.MM.dd' come from? Are there other options, such as time (e.g. HHmmss), week of year, day of year, locale month name, etc?

Thanks,
John Ouellette

warkolm · December 5, 2015, 12:15am

Basically when LS sends the request to create the index it just asks for now in UTC.

zombie101 · December 5, 2015, 12:28am

Ok, but that isn't quite what I was asking for. Let's say I wanted to create an index that is named by the year, week of year, and day of week (ok, stupid example). If I assume that the default 'YYYY.MM.dd' specification comes from the same Joda DateTimeFormat as the logstash date filter plugin, my ugly index name in the elasticsearch output would be:

index => "logstash-%{+YYYY.ww.ee}"

So, is the format specification the Joda DateTimeFormat, or something completely different?

Are there other options? With the %{} format, can I access other logstash terms, like the type, or, I don't know, the host name, etc.?

Sorry if this isn't clear

magnusbaeck · December 5, 2015, 4:30pm

Basically when LS sends the request to create the index it just asks for now in UTC.

Surely it uses the @timestamp field?

magnusbaeck · December 5, 2015, 4:38pm

So, is the format specification the Joda DateTimeFormat, or something completely different?

No, it's Joda-Time alright.

Are there other options? With the %{} format, can I access other logstash terms, like the type, or, I don't know, the host name, etc.?

Yes, you can access any field. Here's the relevant part of the documentation: Accessing event data and fields | Logstash Reference [8.11] | Elastic

magnusbaeck · December 6, 2015, 10:24pm

Surely it uses the @timestamp field?

Indeed it does. Filed a PR to clarify this in the documentation:

zombie101 · December 7, 2015, 4:51pm

Thanks Magnus!

mrkeelan · December 22, 2016, 11:50pm

Is it possible to tell it to use a different date field, other than @timestamp?

magnusbaeck · December 28, 2016, 8:43pm

Is it possible to tell it to use a different date field, other than @timestamp?

No.

mrkeelan · January 11, 2017, 4:34am

Thanks.

I came up with a work-around to use this, and drop or rename @timestamp, if anyone else needs it.

filter {
    mutate {
        add_field => {
            "[@metadata][indexDate]" => "%{+YYYY.MM.dd}"
        }
        rename => {
            "@timestamp" => "receivedTimestamp"
        }
    }
}
output {
    elasticsearch {
        hosts => [
            'elastic01.example.com:9200',
            'elastic02.example.com:9200',
            'elastic03.example.com:9200'
        ]
        index => "logstash-%{[@metadata][indexDate]}"
    }
}