Elasticsearch output - index name pattern

zombie101 · December 4, 2015, 11:45pm

The elasticsearch output takes a setting for the index name, with a default of 'logstash-YYYY.MM.dd'. Where does the 'YYYY.MM.dd' come from? Are there other options, such as time (e.g. HHmmss), week of year, day of year, locale month name, etc?

Thanks,
John Ouellette

warkolm · December 5, 2015, 12:15am

Basically when LS sends the request to create the index it just asks for now in UTC.

zombie101 · December 5, 2015, 12:28am

Ok, but that isn't quite what I was asking for. Let's say I wanted to create an index that is named by the year, week of year, and day of week (ok, stupid example). If I assume that the default 'YYYY.MM.dd' specification comes from the same Joda DateTimeFormat as the logstash date filter plugin, my ugly index name in the elasticsearch output would be:

index => "logstash-%{+YYYY.ww.ee}"

So, is the format specification the Joda DateTimeFormat, or something completely different?

Are there other options? With the %{} format, can I access other logstash terms, like the type, or, I don't know, the host name, etc.?

Sorry if this isn't clear

magnusbaeck · December 5, 2015, 4:30pm

Basically when LS sends the request to create the index it just asks for now in UTC.

Surely it uses the @timestamp field?

magnusbaeck · December 5, 2015, 4:38pm

So, is the format specification the Joda DateTimeFormat, or something completely different?

No, it's Joda-Time alright.

Are there other options? With the %{} format, can I access other logstash terms, like the type, or, I don't know, the host name, etc.?

Yes, you can access any field. Here's the relevant part of the documentation: Accessing event data and fields | Logstash Reference [8.11] | Elastic

magnusbaeck · December 6, 2015, 10:24pm

Surely it uses the @timestamp field?

Indeed it does. Filed a PR to clarify this in the documentation:

zombie101 · December 7, 2015, 4:51pm

Thanks Magnus!

mrkeelan · December 22, 2016, 11:50pm

Is it possible to tell it to use a different date field, other than @timestamp?

magnusbaeck · December 28, 2016, 8:43pm

Is it possible to tell it to use a different date field, other than @timestamp?

No.

mrkeelan · January 11, 2017, 4:34am

Thanks.

I came up with a work-around to use this, and drop or rename @timestamp, if anyone else needs it.

filter {
    mutate {
        add_field => {
            "[@metadata][indexDate]" => "%{+YYYY.MM.dd}"
        }
        rename => {
            "@timestamp" => "receivedTimestamp"
        }
    }
}
output {
    elasticsearch {
        hosts => [
            'elastic01.example.com:9200',
            'elastic02.example.com:9200',
            'elastic03.example.com:9200'
        ]
        index => "logstash-%{[@metadata][indexDate]}"
    }
}

Topic		Replies	Views
Elastic not creating index daily based on date Logstash	13	2180	July 6, 2020
How to name new index based on time from log Logstash	10	12653	March 1, 2017
Date format on Logstash Logstash	3	1199	July 6, 2017
[Solved] Weekly indexes instead of daily Logstash	3	18988	July 6, 2017
Monthly indexes Logstash	4	3138	September 25, 2020

Elasticsearch output - index name pattern

Related Topics