How to set ElasticSearch Apm Server indexing template as YYYY.mm?

Yusuf_Karatoprak · April 22, 2019, 7:48am

I just created Apm server it looks awesome but Indexing like that"Apm-6.6.2-2019.04.19" doesn't make sense because I will have at the end of the month 30 logs. I want to use change "apm-%{[beat.version]}-%{+yyyy.MM}" instead of "apm-%{[beat.version]}-%{+yyyy.MM.dd}" Below code is my purpose but it's not working:

Kibana,Elastic.Apm : 6.6.2

apm-server:
  host: mycompany.name.com:8200


output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["http://mycompany.name.com:9200"]
  index: "apm-%{[beat.version]}-%{+yyyy.MM.dd}"
  indices:
    - index: "critical-%{[beat.version]}-%{+yyyy.MM.dd}"
      when.contains:
        message: "CRITICAL"
    - index: "error-%{[beat.version]}-%{+yyyy.MM.dd}"
      when.contains:
        message: "ERR"



  timeout: 180
  bulk_max_size: 2

setup.template.name: "apm"
setup.template.pattern: "apm-*"

Eyal_Koren · April 22, 2019, 8:30am

Your configuration looks for a field called message, which is irrelevant for the APM documents.

Try to uncomment and modify the existing output.elasticsearch configuration on your apm-server.yml file accordingly, which is based on the processor.event field. Please read all comments around these configurations to make sure you don't break anything.

Yusuf_Karatoprak · April 23, 2019, 6:10am

Hi @Eyal_Koren Can you give me an example? Actually I don't understand What you mean? Thank you

Eyal_Koren · April 23, 2019, 6:32am

This is from apm-server.yml:

#-------------------------- Elasticsearch output ------------------------------
output.elasticsearch:
  # Array of hosts to connect to.
  # Scheme and port can be left out and will be set to the default (http and 9200)
  # In case you specify and additional path, the scheme is required: http://localhost:9200/path
  # IPv6 addresses should always be defined as: https://[2001:db8::1]:9200
  hosts: ["localhost:9200"]

  # Boolean flag to enable or disable the output module.
  #enabled: true

  # Set gzip compression level.
  #compression_level: 0

  # Optional protocol and basic auth credentials.
  #protocol: "https"
  #username: "elastic"
  #password: "changeme"

  # Dictionary of HTTP parameters to pass within the url with index operations.
  #parameters:
    #param1: value1
    #param2: value2

  # Number of workers per Elasticsearch host.
  #worker: 1

  # By using the configuration below, apm documents are stored to separate indices,
  # depending on their `processor.event`:
  # - error
  # - transaction
  # - span
  # - sourcemap
  #
  # The indices are all prefixed with `apm-%{[observer.version]}`.
  # To allow managing indices based on their age, all indices (except for sourcemaps)
  # end with the information of the day they got indexed.
  # e.g. "apm-6.3.0-transaction-2018.03.20"
  #
  # Be aware that you can only specify one Elasticsearch template.
  # In case you modify the index patterns you must also update those configurations accordingly,
  # as they need to be aligned:
  # * `setup.template.name`
  # * `setup.template.pattern`
  #index: "apm-%{[observer.version]}-%{+yyyy.MM.dd}"
  #indices:
  #  - index: "apm-%{[observer.version]}-sourcemap"
  #    when.contains:
  #      processor.event: "sourcemap"
  #
  #  - index: "apm-%{[observer.version]}-error-%{+yyyy.MM.dd}"
  #    when.contains:
  #      processor.event: "error"
  #
  #  - index: "apm-%{[observer.version]}-transaction-%{+yyyy.MM.dd}"
  #    when.contains:
  #      processor.event: "transaction"
  #
  #  - index: "apm-%{[observer.version]}-span-%{+yyyy.MM.dd}"
  #    when.contains:
  #      processor.event: "span"
  #
  #  - index: "apm-%{[observer.version]}-metric-%{+yyyy.MM.dd}"
  #    when.contains:
  #      processor.event: "metric"
  #
  #  - index: "apm-%{[observer.version]}-onboarding-%{+yyyy.MM.dd}"
  #    when.contains:
  #      processor.event: "onboarding"
...

Try basing on this.
I hope this helps.
Eyal.

Yusuf_Karatoprak · April 23, 2019, 6:42am

Hi @Eyal_Koren. Maybe You misunderstand me.Doesn't matter. You are really helpful and brilliant Thank you. But My index is YYYY.mm.dddd format it causes I will have apm.2019.04.23,apm.2019.04.24, apm.2019.04.25, apm.2019.04.26 .......

So it makes my indexes not useful for tracking anything down. Is it answering for my question? Where is your YYYY.mm format for that?

Thank you again for your great help!

Eyal_Koren · April 23, 2019, 6:49am

Yusuf,

Please see in the enclosed output.elasticsearch configuration. It has an indices section (currently commented out) that contains the indices pattern definition. You can see its when.contains is looking for the processor.event field, which means indices will be created per processor event type (transaction, span etc.). Try relying on this with the date-format change and see if it does what you want, otherwise try playing with it.

Cheers,
Eyal.

simitt · April 23, 2019, 8:59am

If you only want to get rid of the dd format, you can remove it from the config, as Eyal described above, eg.

  index: "apm-%{[observer.version]}-%{+yyyy.MM}"
  indices:
    - index: "apm-%{[observer.version]}-sourcemap"
      when.contains:
        processor.event: "sourcemap"

    - index: "apm-%{[observer.version]}-error-%{+yyyy.MM}"
      when.contains:
        processor.event: "error"

    - index: "apm-%{[observer.version]}-transaction-%{+yyyy.MM}"
      when.contains:
        processor.event: "transaction"

    - index: "apm-%{[observer.version]}-span-%{+yyyy.MM}"
      when.contains:
        processor.event: "span"

    - index: "apm-%{[observer.version]}-metric-%{+yyyy.MM}"
      when.contains:
        processor.event: "metric"

    - index: "apm-%{[observer.version]}-onboarding-%{+yyyy.MM}"
      when.contains:
        processor.event: "onboarding"

Please note that the whole index and indices configuration will be overwritten if you make changes to it in the config file. This means you will need to enable all indices you want to have setup in the configuration.

In case you additionally want to send documents to different indices depending on matching string values, you can also use the when.regexp condition, e.g.

    - index: "apm-%{[observer.version]}-XYZ-%{+yyyy.MM}"
      when.regexp:
        error.culprit: ".*XYZ.*"

Concerning your example above, please note that an error document can contain an error.log.message and an array of error.exceptions, where every exception again can have a message.

system · May 14, 2019, 4:59am

This topic was automatically closed 20 days after the last reply. New replies are no longer allowed.