How to use filename as index wiht beats input

terminaattori · April 18, 2018, 6:57am

Hey!

How can I use the filename as an index when using beats input for multiple files?

My filebeat.yml looks currently like this:

filebeat.prospectors:
- type: log
  paths:
    - /path/${CURRENT_SERVER}/*log*
  fields:
     index:  ${CURRENT_SERVER}-${DATE_USED}
  close_eof: true
output.logstash:
  hosts: ["localhost:5044"]
output.console:
  enabled: false

and pipeline.conf like this:

input {

beats {
        port => "5044"
    }

}
filter {
    grok {
        match => { "message" => "%{LOGGERLEVEL:log}%{LOGTYPE:k}%{TIMESTAMP_ISO8601:datetime}%{GREEDYDATA:data}"}
    }
    date {
        match => ["datetime", "ISO8601"]
        timezone => TIMEZONE
    }

}
output {

    elasticsearch {
    	index => "%{[fields][index]}"
        hosts => ["localhost:9200"]
    }

}

recently this approach worked just fine when I had one file in a folder, but now I have two or three files in a folder. How can I extract the filename and use it as index?

guyboertje · April 18, 2018, 8:29am

The event should have a source field.

You can use this field index => "%{[source]}"

system · May 16, 2018, 8:30am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to put each file name as index name to store Elasticsearch via Filebeat Beats filebeat	2	574	December 28, 2022
How to use filebeat fields name value in logstash config Beats filebeat	5	14625	May 2, 2017
Problem creating dynamic index from filename (filebeat) Logstash	7	730	March 23, 2020
Best practice for using file beats and indexing Beats filebeat	3	825	April 17, 2018
How to use the index specified in Filebeat in logstash.yml? Beats filebeat	3	439	September 18, 2018

How to use filename as index wiht beats input

Related topics