Filebeat Index Name Pattern - timestamp

danielc · February 4, 2022, 6:35am

Is %{+yyyy.MM.dd} the system time or log file timestamp?
Configure the Elasticsearch output | Filebeat Reference [7.10] | Elastic

output.elasticsearch:
  hosts: ["http://localhost:9200"]
  index: "%{[fields.log_type]}-%{[agent.version]}-%{+yyyy.MM.dd}"

What's the difference between YYYY and yyyy?

I've got answer for this. https://docs.oracle.com/javase/8/docs/api/java/time/format/DateTimeFormatter.html
YYYY - week-based-year
yyyy - year-of-era

danielc · February 4, 2022, 7:42am

Filebeat uses time series indices, by default, when index lifecycle management is disabled or unsupported. The indices are named filebeat-7.10.2-yyyy.MM.dd, where yyyy.MM.dd is the date when the events were indexed.

What does this mean?

Scenario:
When Filebeat starts, Elasticsearch generates a few indices like filebeat-7.10.2-2022.01.30, filebeat-7.10.2-2022.01.31, filebeat-7.10.2-2022.02.01 at the same time. How does it happen?

danielc · February 7, 2022, 6:53pm

Filebeat uses time series indices, by default, when index lifecycle management is disabled or unsupported. The indices are named filebeat-7.10.2-yyyy.MM.dd, where yyyy.MM.dd is the date when the events were indexed.

Can anybody elaborate where yyyy.MM.dd is the date when the events were indexed?
Is yyyy.MM.dd the same as system date?

danielc · February 24, 2022, 4:56pm

Is there an Elastic developer in this forum?
I think a developer may know the answer of this question.

danielc · February 25, 2022, 1:06am

filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /logs/access_log.*.log

output.elasticsearch:
  hosts: ["http://localhost:9200"]
  index: "filebeat-%{[agent.version]}-%{+yyyy.MM.dd}"

When Filebeat starts, Elasticsearch generates a few indices like filebeat-7.10.2-2022.01.30, filebeat-7.10.2-2022.01.31, filebeat-7.10.2-2022.02.01 at the same time. How does it happen?

linuxxin · February 25, 2022, 7:59am

output.Elasticsearch:

hosts: ["192.168.0.12:9200"]

enabled: true

index: "test-1-%{[agent.version]}-%{+yyyy.MM.dd}"

setup.template.name: "test-1"

setup.template.pattern: "test-1-*"

setup.template.overwrit: true

setup.template.enabled: true

setup.ilm.enabled: false

danielc · February 25, 2022, 9:59pm

I've got:
setup.template.enabled: false

danielc · March 2, 2022, 12:11am

I suspected that the old registry was the culprit so I've removed the old registry and restarted Filebeat. All of logs goes to the current index now.

system · March 30, 2022, 2:12am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Indexes with FileBeat Beats filebeat	8	4396	September 27, 2016
Dynamic Index Name Creation Based on Updated @Timestamp Field Beats filebeat	4	1563	January 31, 2019
Filebeat does not set the index for logstash output even after providing index name in filebeat Beats	4	1203	December 30, 2016
Using index template to read a field as date Beats filebeat	5	4213	September 19, 2018
Filebeat new timestamp field Beats filebeat	3	2601	May 29, 2018

Filebeat Index Name Pattern - timestamp

Related Topics