Filebeat output indices behavior

Currently I am using a custom index pattern via indices when filters. This works as expected. However anything not matching the rule ends up being sent to the default filebeat- index.
As per the docs this makes sense:

If the indices setting is missing or no rule matches, the index setting is used.

I have a config that looks like this (watered down).

filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /opt/data/application/logs/*.log
  json.message_key: message
  json.keys_under_root: true
  fields:
    logger: "application"

output.elasticsearch:
  hosts:
    - "elasticsearch:9200"
  protocol: "https"
  ssl.verification_mode: none
  username: "foo"
  password: "bar"
  indices:
    - index: "application-%{[agent.version]}-%{+yyyy.MM.dd}"
      when.and:
        - equals:
            fields.logger: "application"
        - equals:
            app.value: 1

When using the output as above, if it doesn't match the index pattern "when" statement it just defaults to the default filebeat index.
Is there a way to disable the default index completely or should I be using Input filter processors instead to drop unwanted events?
I'm unsure the best approach to this.
Any help would be appreciated.

@ninjasloth I changed the category for this question to Beats/Filebeat. They will be able to provide better support for this question and get you all sorted out.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.