Having trouble forwarding indexes from Elasticsearch to logstash

StillReclaim · June 11, 2018, 2:51pm

Hello,

I'm trying to send all information from one elasticsearch node to another in different clusters through logstash. My current inputs.conf is below. It sort of works, but it outputs indexes that are named: %{[@metadata][beat]}-2018.06.01, %{[@metadata][beat]}-2018.05.22, %{[@metadata][beat]}-2018.05.10, rather than metricbeat-2018.06.01, winlogbeat-2018.06.01, heartbeat-2018.06.01, etc. Is there a way to format it so the indexes are copied over correctly in real time?

input {
elasticsearch {
hosts => [ "HOSTNAME:9200" ]
#query => '{ "query": { "match": { "statuscode": 200 } }, "sort": [ "_doc" ] }'
index => "*"
#size => 500
#scroll => "5m"
#docinfo => true
}
}

output {
elasticsearch {
hosts => [ "OTHERHOSTNAME:9200" ]
sniffing => false
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
}
}

Badger · June 11, 2018, 3:28pm

OK, there is no [@metadata][beat] field in the document, so it is not substituted. Use stdout { codec => rubydebug } to see where in the document the beat name occurs, and substitute that field instead.

StillReclaim · June 11, 2018, 5:12pm

I will try that and update you. Thank you.

StillReclaim · June 11, 2018, 8:36pm

@Badger, It worked! thank you. I didn't know you could search through the output like that. Very helpful.

system · July 9, 2018, 8:36pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.