How do I create an index name based on a time field that is not the timestamp?


I am using the @timestamp field for when the document was indexed, but have a separate field ([page][post_date]) for a date of when the event occurred. I would like to create index names based on the [page][post_date] field. However, that field is in the default TIMESTAMP_ISO8601 format. I just want to have the standard index name of something-yyyy-MM-dd.

How can I do this?

Thank you.

(Kurt Schraeyen) #2

The way I would do it is first copy @timestamp to a new field, for instance "indexed_date" and then overwrite @timestamp with your post_date field.
If that's not an option, you could use an alias for the index in logstash, like "indexname-actieve" and in elasticsearch you could then use the rollover api and curator to rollover the index daily. More information on that is in this blogpost.

(Magnus B├Ąck) #3

Assuming you don't want to use the @timestamp field for the post date you need to transform the [page][post_date] field (or a copy of it) into whatever format you prefer (using grok, mutate, or whatever filters you prefer) and reference it in the index option with the %{fieldname} notation.

(system) #4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.