How can I create index per hostname per day?

09958a6c84c61fe52414 · October 25, 2018, 11:31am

Hi all!
Now I am using logstash config that makes every day new index for all incoming data (from many hosts) with name like "filebeat-2018.10.25"

Config is:

input {
      beats {
        port => 5044
      }
}

filter {
  date {
    match => [ "logdate", "ISO8601" ]
  }
}

output {
      elasticsearch {
        hosts => ["localhost:9200"]
        sniffing => true
        manage_template => false
        index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
        document_type => "log"
      }
}

Tell me please what should I change in config to make Logstash create Index for every hostname every day (something like "my-server1-2018.10.24", "my-server2-2018.10.24)?

Christian_Dahlqvist · October 25, 2018, 11:34am

Why would you want to do that? Having lots of small indices and shards in the cluster can be very inefficient as each shard has a certain amount of overhead.

09958a6c84c61fe52414 · October 25, 2018, 11:39am

Well, in this case I want to try to have single index per host. I have about 10 servers to monitor, so I'l have persistent number of 10 indexes instead of rising number of indexes every day. Can you please tell me how can I tune my config to do it?

system · November 22, 2018, 11:39am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.