Having trouble forwarding indexes from Elasticsearch to logstash

Hello,

I'm trying to send all information from one elasticsearch node to another in different clusters through logstash. My current inputs.conf is below. It sort of works, but it outputs indexes that are named: %{[@metadata][beat]}-2018.06.01, %{[@metadata][beat]}-2018.05.22, %{[@metadata][beat]}-2018.05.10, rather than metricbeat-2018.06.01, winlogbeat-2018.06.01, heartbeat-2018.06.01, etc. Is there a way to format it so the indexes are copied over correctly in real time?

input {
elasticsearch {
hosts => [ "HOSTNAME:9200" ]
#query => '{ "query": { "match": { "statuscode": 200 } }, "sort": [ "_doc" ] }'
index => "*"
#size => 500
#scroll => "5m"
#docinfo => true
}
}

output {
elasticsearch {
hosts => [ "OTHERHOSTNAME:9200" ]
sniffing => false
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
}
}

OK, there is no [@metadata][beat] field in the document, so it is not substituted. Use stdout { codec => rubydebug } to see where in the document the beat name occurs, and substitute that field instead.

I will try that and update you. Thank you.

@Badger, It worked! thank you. I didn't know you could search through the output like that. Very helpful.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.