Hello,
I use daily ES indices that are created by Logstash using
output {
elasticsearch {
...
index => "%{[@metadata][foo]}-%{+YYYY.MM.dd}"
}
}
I always assumed that Logstash looks up the date from the system but now I am seeing some evidence that it might come from @timestamp in the log message. Could someone confirm this suspicion?
Cheers,
AB
Confirmed. It is based on @timestamp.
The behavior is documented here: https://www.elastic.co/guide/en/logstash/current/event-dependent-configuration.html#sprintf
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.