Filebeat Index Issue - template pattern / name


(Andrew Murdoch) #1

Hey Guys

I'm trying to set my index, in filebeat, this is my current config:

output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["192.168.1.199:9200"]
  setup.template.name: "desktop"
  setup.template.pattern: "desktop-*"
  index: "desktop-%{[beat.version]}-%{+yyyy.MM.dd}"
  indices:
    - index: "critical-%{[beat.version]}-%{+yyyy.MM.dd}"
      when.contains:
        message: "CRITICAL"
    - index: "error-%{[beat.version]}-%{+yyyy.MM.dd}"
      when.contains:
        message: "ERR"

  # Optional protocol and basic auth credentials.
  #protocol: "https"
  username: "elastic"
  password: "blah"

  timeout: 180
  bulk_max_size: 2

I made to sure to add the template with:

filebeat export template > filebeat.template.json
curl -XPUT --user elastic:blah -H 'Content-Type: application/json' http://192.168.1.199:9200/_template/desktop -d@filebeat.template.json

but when I start filebeat (service filebeat start), I get:

Exiting: setup.template.name and setup.template.pattern have to be set if index name is modified.

I'm on Ubuntu 17.10 and my ELK is on Ubuntu 18.04, can anyone see what I'm doing wrong?

Thanks
D


(Noémi Ványi) #2

Your config seems to be incorrect. setup.template.* should not go under output.elasticsearch. It stands in the root of the config, as seen here:

output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["192.168.1.199:9200"]
  index: "desktop-%{[beat.version]}-%{+yyyy.MM.dd}"
  indices:
    - index: "critical-%{[beat.version]}-%{+yyyy.MM.dd}"
      when.contains:
        message: "CRITICAL"
    - index: "error-%{[beat.version]}-%{+yyyy.MM.dd}"
      when.contains:
        message: "ERR"

  # Optional protocol and basic auth credentials.
  #protocol: "https"
  username: "elastic"
  password: "blah"

  timeout: 180
  bulk_max_size: 2

setup.template.name: "desktop"
setup.template.pattern: "desktop-*"

(Andrew Murdoch) #3

That was the issue :slight_smile: Thanks!


(system) #4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.