Hey,
I'm setting up Filebeat for different modules, such as Apache and Nginx. I try to archive an different index name for different modules and file type.
For example for Filebeat I wanna create a different index for access and error files:
filebeat-apache-access-yyyy.mm.dd
filebeat-apache-error-yyyy.mm.dd
filebeat-nginx-access-yyyy.mm.dd
filebeat-nginx-error-yyyy.mm.dd
My current configuration in the filebeat.yml looks like this:
output.elasticsearch:
[...]
indices:
- index: "filebeat-apache-%{[+yyyy.MM.dd]}"
when.equals:
event.module: "apache"
And of course the same for nginx. How can I add an "and" logical operator? Is there an easier way?
What I don't get is, why there is no key for the module, for example like filebeat-%{[event.module]}-%{[+yyyy.MM.dd]}
. And how can I include the current file type, for example like filebeat-apache-%{[file.type]}-%{[+yyyy.MM.dd]}
to get an index name like filebeat-apache-access-2020.02.18
oder filebeat-nginx-error-2020.02.18
.
It is hard to figure out which fields are really available and how the logic in the filebeat.yml really is. The documentation is really awkward and not really detailed.
Where do other people out of forums the information from? How do they know which fields exists and how they are named? I can't find anything about index predefined fields in the documentation and I already search for at least one to two hours ...
//EDIT #1:
The configuration mentioned above does not work. If I run this configuration I get the following error:
Exiting: error initializing publisher: missing output.elasticsearch.indices.2.index
So there might be something wrong with defining more than one index. If I take out the default and the nginx index, then filebeat creates an default index such as filebeat-7.5.2-2020.02.18
. So the indices
tag might not be available in the filebeat.yml or I do something wrong.