How do I create my own Index name?

Blason · March 19, 2019, 3:42am

Hi Guys,

Can someone please help me on creating new Index name isntead of logstash-* or filebeat-*

Something like hashes-*.

I think I need to create my new mapping and then post it on elasticsearch? The thing happening here is since I already have logstash-* indices running creating new index name by creating fields in existing logstash indices.

Please help!!

warkolm · March 19, 2019, 3:44am

What are you using to send the data to Elasticsearch?

Blason · March 19, 2019, 3:52am

Its logstash.

May be I am wrong but I tried copying existing template from APImodifying it and trying to put using CURL but that is not happening. I am not so versed with MAPPING templates hence wanted to know what method I can follow to create my in index name so that fields won't get entangled in other indices.

warkolm · March 19, 2019, 4:26am

You need to have it defined in your output section to Elasticsearch. Can you show us what you have there?

Blason · March 19, 2019, 4:32am

its simple

input {

file {
path => "/opt/HASH/finalHash"
start_position => "beginning"
sincedb_path => "/dev/null"
}
}
filter {
csv {
separator => ","
columns => ["hash","sev","stat","attack","type"]
}

}
output {
elasticsearch {
hosts => "http://xx.xx.xx.xx:9200"
index => "hashes-%{+YYYY.MM.dd}"
}
}

warkolm · March 19, 2019, 4:34am

That will work. It will only apply the default-dynamic mapping though.
If you want to use the same type of mapping that the logstash-* indices use, then you will need to copy the existing template and change it to match the new index pattern.

Also, please format your code/logs/config using the </> button, or markdown style back ticks. It helps to make things easy to read which helps us help you

Blason · March 19, 2019, 4:43am

Yep but I do have other indices running which is logstash-isnti-; now when I run logstash the fields from hashes- indices getting mingled in logstash-isnti-* indices.

I need to keep those completely separate and this is not happening.

Blason · March 27, 2019, 11:17am

Hi Team,

Unfortunately this is not happening; since my data is being ingested by logstash the fields created by either of the indices are gettign appeared in both of the Indices.

Here is what I did -

Logstash is creating indices by name
isnti- [has fields "IOC","attack","Severity"]
and hash-* [has fields "hash","attack","Severity"]

Now Hash field is appearing in isnti indices as well and vice-versa. How to make them completely isolated?

more 01.conf

  file {
    path => "/opt/output/*.out"
    start_position => "beginning"
   sincedb_path => "/dev/null"
  }
}
filter {
  csv {
      separator => ","
     columns => ["IOC","attack","Severity"]
  }
grok {
    match => { "IOC" => "%{IP:IPaddr}" }
}

geoip {
    source => "IPaddr"
    remove_field => "IPaddr"
        }

}
output {
   elasticsearch {
     hosts => "http://localhost:9200"
     index => "isnti-%{+YYYY.MM.dd}"
  }
}
`
    `input {
  file {
    path => "/opt/output/*.hashes"
    start_position => "beginning"
   sincedb_path => "/dev/null"
  }
}
filter {
  csv {
      separator => ","
     columns => ["hash","attack","Severity"]
  }
}
output {
   elasticsearch {
     hosts => "http://localhost:9200"
     index => "hash-%{+YYYY.MM.dd}"
  }
}
`

system · April 24, 2019, 11:17am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.