Filebeat with netflow module: independent index problem

robertitox · June 24, 2020, 11:29pm

Hi people, I enable netflow module in filebeat, and in filebeat.yml file I put this lines:
output.elasticsearch:
hosts: ["siemtest.provincianet.com.ar:9200"]
protocol: "http"
username: "elastic"
password: "xxx"
indices:

index: "filebeat-netflow-%{+yyyy.MM.dd}"
when.equals:
event.module: "netflow"
index: "filebeat-%{[agent.version]}-%{+yyyy.MM.dd}"
whe.not.equals:
event.module: "netflow"

I wanted to put every netflow data in one filebeat index and the other data in another index.

After executing "filebeat setup" and "service filebeat start", I go to "Index Management" --> filebeat-*, and I see a message telling that I have to reindex because there are some fields with different defined type along several indexes.

Have I proceed in a corect way?

How can I do to have netflow data in a index an the other data in another index (default)???

Thanks a lot!!!

Kaiyan_Sheng · June 25, 2020, 12:52am

Hello! Can you run two Filebeats, one with netflow module enabled and the other with other modules that you are using? Then for each Filebeat, in filebeat.yml configure output.elasticsearch with specified index. For example: https://www.elastic.co/guide/en/beats/filebeat/current/elasticsearch-output.html#index-option-es

system · July 23, 2020, 2:52am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.