How to add dynamic fields + index with a logstash filter?

thokari · January 9, 2017, 4:03pm

Hi,
new to ELK. I have some Docker logs that I am successfully sending to Kibana.
However next to the field names that I am creating in that filter, it shows a '?', which means 'field not indexed'

This is my filter
filter { if [type] == "docker_log" { json { source => "message" add_field => [ "received_at", "%{@timestamp}" ] add_field => [ "received_from", "%{host}" ] } mutate { rename => { "log" => "message" } } date { match => [ "time", "ISO8601" ] } } }

How can I

Make it so that the fields are indexed?
Add dynamically every field in the JSON documents, of which I don't know the values yet? I thought this was the point in the first place of having logs in JSON...

warkolm · January 13, 2017, 3:05am

What does the mapping look like for the index?

system · February 10, 2017, 3:05am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Grok - How do I make it so a field is indexed in ES? Logstash	2	401	January 23, 2018
Creating dynamic elastic seach indices using a json field Logstash	2	585	September 6, 2017
Add existing fields to my logstash Logstash	9	844	October 19, 2021
Not getting dynamic index in elasticsearch using logstash Logstash	9	2628	May 18, 2017
Dynamic index names Logstash	6	2707	September 16, 2021

How to add dynamic fields + index with a logstash filter?

Related topics