Filebeat: Select index based on prospector

Brian_Topping · July 19, 2017, 5:11am

I am trying to find the best way to set the index name based on the prospector that picked up the log entry. In general, I would like everything to default to index, then use indices for the specific changes as outlined in https://www.elastic.co/guide/en/beats/filebeat/5.5/elasticsearch-output.html#_indices.

I would have thought that using the when configuration element of indices was the right way to do this, but I can't find documentation on it anywhere, just a few examples on that page. What I imagine doing is adding a tag as a part of the prospector, then searching the tag in the when clause.

Will this work? Does documentation for when exist yet?

Thanks kindly!

steffens · July 19, 2017, 1:59pm

For simplicity I'd use format strings:

filebeat.prospectors:
- ...
  fields.class: "nginx"
- ...
  fields.class: "apache"

output.elasticsearch:
  index: '%{[fields.class]-%{+yyyy.MM.dd}'

You can use indices with when clause. If no when clause matches, the index setting will be applied.

Documentation on when-clause is available in the 'Conditions' documentation: https://www.elastic.co/guide/en/beats/filebeat/current/configuration-processors.html#conditions

It's always when.<condition>:.

system · August 16, 2017, 2:00pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Set indices based on a field value Beats filebeat	5	3566	January 18, 2017
Index name based on tags Beats filebeat	3	1542	July 24, 2018
How to use filename as index wiht beats input Logstash	2	1675	May 16, 2018
Send FileBeat Logs to Specific Type and Index in Elastic Search Beats filebeat	6	3029	May 10, 2018
Best practice for setting index names when using filebeats to logstash Beats filebeat	3	2164	March 4, 2018

Filebeat: Select index based on prospector

Related topics