Filebeat multiple index rollover problem

graimato · February 19, 2021, 10:27am

Dear all
I'm sending log data to elastic using filebeat. I have multiple files to read, actually I'm sending all log files (eg. *.log) and it works correctly, I have index and rollover works.
Now I need to have different index for different log type and I'm following
this guide

I setup the configuration:

setup.template.settings:
  index.number_of_shards: 1
setup.ilm.rollover_alias: "filebeat-test-7.10.2"
setup.ilm.enabled: true
setup.ilm.pattern: "{now/d}-000001"
setup.ilm.policy_name: "filebeat-test-7.10.2"
setup.ilm.overwrite: false
setup.ilm.check_exists: true



output.elasticsearch:
  hosts: ["els-mon1.local.com","els-mon2.local.com","els-mon3.local.com"]
  index: "filebeat-%{[agent.version]}-%{+yyyy.MM.dd}"
  protocol: "https"
  username: "filebeat_setup"
  password: ""
  indices:
    - index: "filebeat-test-%{[agent.version]}-api-%{+yyyy.MM.dd}"
      when.contains:
        message: "webapi"
      setup.ilm.rollover_alias: "filebeat-test-7.10.2-api"
      setup.ilm.enabled: true
      setup.ilm.pattern: "{now/d}-000001"
      setup.ilm.policy_name: "filebeat-test-7.10.2-api"
      setup.ilm.overwrite: false
      setup.ilm.check_exists: true
      setup.template:
        name: "filebeat-test-7.10.2-api"
        pattern: "filebeat-test-7.10.2-api-*"
        enabled: true
        overwrite: false

  - index: "filebeat-test-%{[agent.version]}-noapi-%{+yyyy.MM.dd}"
      when.contains:
        message: "webapps"
      setup.ilm.rollover_alias: "filebeat-test-7.10.2"
      setup.ilm.enabled: true
      setup.ilm.pattern: "{now/d}-000001"
      setup.ilm.policy_name: "filebeat-test-7.10.2"
      setup.ilm.overwrite: false
      setup.ilm.check_exists: true
      setup.template:
        name: "filebeat-test-7.10.2"
        pattern: "filebeat-test-7.10.2-*"
        enabled: true
        overwrite: false

I have correctly 3 different indexes
filebeat-test-7.10.2-2021.02.19
filebeat-test-7.10.2-api-2021.02.19
filebeat-test-7.10.2-noapi-2021.02.19

but only the firstone correctly apply rollover, the problem is rollover alias, It is possible to assign multiple rollover alias to the same ILM?
Or for each index I have to setup a new ilm with new Alias?

Some one have an idea to solve it?

best regards and thanks for your time

P.S. I know that many information are hardcoded into the configuration file I'll fix them when I'll solve the main problem

warkolm · February 22, 2021, 12:55am

You need to keep them separate.

graimato · February 22, 2021, 11:04am

thanks @warkolm
but exactly how I can do it?

thanks for your time

warkolm · February 22, 2021, 10:28pm

You will need separate policies.

graimato · February 23, 2021, 1:03pm

@warkolm Thanks for your answare

I changed the configuration

setup.template.settings:
  index.number_of_shards: 1
setup.ilm.rollover_alias: "filebeat-7.10.2"
setup.ilm.enabled: true
setup.ilm.pattern: "{now/d}-000001"
setup.ilm.policy_name: "filebeat-7.10.2"
setup.ilm.overwrite: false
setup.ilm.check_exists: true



output.elasticsearch:
  hosts: ["els-mon1.local.com","els-mon2.local.com","els-mon3.local.com"]
  index: "filebeat-%{[agent.version]}-%{+yyyy.MM.dd}"
  protocol: "https"
  username: "filebeat_setup"
  password: ""
  indices:
    - index: "filebeat-%{[agent.version]}-api-%{+yyyy.MM.dd}"
      when.contains:
        message: "webapi"
      setup.ilm.rollover_alias: "filebeat-7.10.2-api"
      setup.ilm.enabled: true
      setup.ilm.pattern: "{now/d}-000001"
      setup.ilm.policy_name: "filebeat-7.10.2-api"
      setup.ilm.overwrite: false
      setup.ilm.check_exists: true
      setup.template:
        name: "filebeat-7.10.2-api"
        pattern: "filebeat-7.10.2-api-*"
        enabled: true
        overwrite: false

I'm trying to do it and I want that all logs with webapi into the message are stored into the filebeat-%{[agent.version]}-api-%{+yyyy.MM.dd} the other into filebeat-%{[agent.version]}-%{+yyyy.MM.dd}. I set up two different policy filebeat-7.10.2-api and filebeat-7.10.2

but I have the same problem with "api" index it does not make rollover.

Any idea?

Thanks so much

graimato · February 26, 2021, 11:32am

I implemented a solution disabling IML and creating by hand the index with correct alias

system · March 26, 2021, 11:33am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat, ILM and multiple indices Beats filebeat	7	3359	March 29, 2020
Multiple indexnames from 1 filebeat instance with ilm Beats ilm-index-lifecycle-management , filebeat	5	380	May 24, 2021
Create multiple index str in filebeat and send logs to them with successfully rolover to next index Beats ilm-index-lifecycle-management , filebeat , reindex	1	259	March 3, 2023
ILM trying to rollover old index Beats ilm-index-lifecycle-management , filebeat	3	514	December 23, 2020
Filebeat (with ILM) -> Logstash -> Elasticsearch not working Beats ilm-index-lifecycle-management , filebeat	6	694	June 24, 2021

Filebeat multiple index rollover problem

Related topics