I am using the @timestamp field for when the document was indexed, but have a separate field ([page][post_date]) for a date of when the event occurred. I would like to create index names based on the [page][post_date] field. However, that field is in the default TIMESTAMP_ISO8601 format. I just want to have the standard index name of something-yyyy-MM-dd.
The way I would do it is first copy @timestamp to a new field, for instance "indexed_date" and then overwrite @timestamp with your post_date field.
If that's not an option, you could use an alias for the index in logstash, like "indexname-actieve" and in elasticsearch you could then use the rollover api and curator to rollover the index daily. More information on that is in this blogpost.
Assuming you don't want to use the @timestamp field for the post date you need to transform the [page][post_date] field (or a copy of it) into whatever format you prefer (using grok, mutate, or whatever filters you prefer) and reference it in the index option with the %{fieldname} notation.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.