Filebeat: Select index based on prospector

Brian_Topping · July 19, 2017, 5:11am

I am trying to find the best way to set the index name based on the prospector that picked up the log entry. In general, I would like everything to default to index, then use indices for the specific changes as outlined in https://www.elastic.co/guide/en/beats/filebeat/5.5/elasticsearch-output.html#_indices.

I would have thought that using the when configuration element of indices was the right way to do this, but I can't find documentation on it anywhere, just a few examples on that page. What I imagine doing is adding a tag as a part of the prospector, then searching the tag in the when clause.

Will this work? Does documentation for when exist yet?

Thanks kindly!

steffens · July 19, 2017, 1:59pm

For simplicity I'd use format strings:

filebeat.prospectors:
- ...
  fields.class: "nginx"
- ...
  fields.class: "apache"

output.elasticsearch:
  index: '%{[fields.class]-%{+yyyy.MM.dd}'

You can use indices with when clause. If no when clause matches, the index setting will be applied.

Documentation on when-clause is available in the 'Conditions' documentation: https://www.elastic.co/guide/en/beats/filebeat/current/configuration-processors.html#conditions

It's always when.<condition>:.

system · August 16, 2017, 2:00pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.