How is -%{+YYYY.MM.dd} generated on Logstash output

A_B · July 30, 2018, 1:52pm

Hello,

I use daily ES indices that are created by Logstash using

output {

  elasticsearch {
...
        index => "%{[@metadata][foo]}-%{+YYYY.MM.dd}"
  }
}

I always assumed that Logstash looks up the date from the system but now I am seeing some evidence that it might come from @timestamp in the log message. Could someone confirm this suspicion?

Cheers,
AB

Badger · July 30, 2018, 2:25pm

Confirmed. It is based on @timestamp.

A_B · July 30, 2018, 2:48pm

Thank you @Badger

magnusbaeck · August 1, 2018, 8:35pm

The behavior is documented here: https://www.elastic.co/guide/en/logstash/current/event-dependent-configuration.html#sprintf

system · August 29, 2018, 8:35pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Elasticsearch output - index name pattern Logstash	10	21149	July 6, 2017
Elastic not creating index daily based on date Logstash	13	2180	July 6, 2020
Logstash does not use the correct index with Elasticsearch output Logstash	7	1278	January 25, 2022
Logstash Output to Elasticsearch Timezone Logstash	5	2064	August 23, 2017
How does logstash chose which timestamped index to use? Elasticsearch	4	532	July 6, 2017

How is -%{+YYYY.MM.dd} generated on Logstash output

Related Topics