Filebeatt doesn't create multiple index

pauldon2 · August 23, 2022, 2:38pm

I use elasticsearch 8.3.3 and filebeat 8.3.3
I try read logs from different docker contaiters by using filebeat and when direct write to different indices to elasticsearch.
My filebeat.yml

# ============================== Filebeat inputs ===============================
filebeat.autodiscover:
  providers:
    - type: docker
      templates:
#STEP2
        - condition:
            contains:
              docker.container.name: img-step2
          config:
            - type: container
              paths:
                - /var/lib/docker/containers/${data.docker.container.id}/*.log
              fields:
                step: STEP2
              fields_under_root: true
#STEP4
        - condition:
            contains:
              docker.container.name: img-step4
          config:
            - type: container
              paths:
                - /var/lib/docker/containers/${data.docker.container.id}/*.log
              fields:
                step: STEP4
              fields_under_root: true
#STEP10
        - condition:
            contains:
              docker.container.name: img-step10
          config:
            - type: container
              paths:
                - /var/lib/docker/containers/${data.docker.container.id}/*.log
              fields:
                step: STEP10
              fields_under_root: true

# ======================= Elasticsearch template setting =======================

setup.template.settings:
  index.number_of_shards: 2
setup.template.name: "images-tst"
setup.template.pattern: "images-tst-*"
#setup.template.overwrite: true

# ================================== Outputs ===================================
output.elasticsearch:
  hosts: ["172.61.10.49"]
  protocol: https
  username: "filebeat"
  password: "tLWeILiKIrBGyVVpBUK1"

  ssl:
    enabled: true
    ca_trusted_fingerprint: "F4EA3BC74EF1BC8CFFF7685FC4B4F577A90A10DBC822A87DCDB956470AA91706"

#  index: "images-tst-%{+yyyy.MM.dd}"

  indices:
    - index: "images-tst-step2-%{+yyyy.MM.dd}"
      when.equals:
        fields:
          step: "STEP2"
    - index: "images-tst-step4-%{+yyyy.MM.dd}"
      when.equals:
        fields:
          step: "STEP4"
    - index: "images-tst-step10-%{+yyyy.MM.dd}"
      when.equals:
        fields:
          step: "STEP10"

#output.console:
#  pretty: true

# ================================= Processors =================================
processors:
  - drop_fields:
      fields: [ "host", "docker"]
      ignore_missing: true

# ================================== Logging ===================================
logging.level: info
logging.to_files: true
logging.files:
  path: /var/log/filebeat
  name: filebeat
  keepfiles: 7
  permissions: 0640

But no index is created.

jsoriano · August 25, 2022, 9:12am

Hi @pauldon2,

Filebeat indexes are managed by ILM (index lifecycle management). If you want to use custom indices you probably need to disable it.

pauldon2 · August 25, 2022, 12:00pm

Thanks a lot. It's works. P.S. Strange but that is not described in any example that I read.

system · September 22, 2022, 2:01pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Multiple indexes not being created for multiple log files Beats filebeat	25	394	September 11, 2024
Create custom index in Filebeat Beats docker , filebeat	1	265	May 3, 2024
Filebeat with multiple different index type Beats filebeat	5	1707	May 28, 2019
Filebeat not filtering for separate index Beats filebeat	10	2858	September 9, 2019
Filebeat data not indexed Beats docker , filebeat	1	368	December 30, 2021

Filebeatt doesn't create multiple index

Related topics