How do I create an index name based on a time field that is not the timestamp?

I am using the @timestamp field for when the document was indexed, but have a separate field ([page][post_date]) for a date of when the event occurred. I would like to create index names based on the [page][post_date] field. However, that field is in the default TIMESTAMP_ISO8601 format. I just want to have the standard index name of something-yyyy-MM-dd.

How can I do this?

Thank you.

The way I would do it is first copy @timestamp to a new field, for instance "indexed_date" and then overwrite @timestamp with your post_date field.
If that's not an option, you could use an alias for the index in logstash, like "indexname-actieve" and in elasticsearch you could then use the rollover api and curator to rollover the index daily. More information on that is in this blogpost.

Assuming you don't want to use the @timestamp field for the post date you need to transform the [page][post_date] field (or a copy of it) into whatever format you prefer (using grok, mutate, or whatever filters you prefer) and reference it in the index option with the %{fieldname} notation.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.