Filebeat output indices behavior

Currently I am using a custom index pattern via indices when filters. This works as expected. However anything not matching the rule ends up being sent to the default filebeat- index.
As per the docs this makes sense:

If the indices setting is missing or no rule matches, the index setting is used.

I have a config that looks like this (watered down).

filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /opt/data/application/logs/*.log
  json.message_key: message
  json.keys_under_root: true
  fields:
    logger: "application"

output.elasticsearch:
  hosts:
    - "elasticsearch:9200"
  protocol: "https"
  ssl.verification_mode: none
  username: "foo"
  password: "bar"
  indices:
    - index: "application-%{[agent.version]}-%{+yyyy.MM.dd}"
      when.and:
        - equals:
            fields.logger: "application"
        - equals:
            app.value: 1

When using the output as above, if it doesn't match the index pattern "when" statement it just defaults to the default filebeat index.
Is there a way to disable the default index completely or should I be using Input filter processors instead to drop unwanted events?
I'm unsure the best approach to this.
Any help would be appreciated.

@ninjasloth I changed the category for this question to Beats/Filebeat. They will be able to provide better support for this question and get you all sorted out.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.