How to use filename as index wiht beats input

terminaattori · April 18, 2018, 6:57am

Hey!

How can I use the filename as an index when using beats input for multiple files?

My filebeat.yml looks currently like this:

filebeat.prospectors:
- type: log
  paths:
    - /path/${CURRENT_SERVER}/*log*
  fields:
     index:  ${CURRENT_SERVER}-${DATE_USED}
  close_eof: true
output.logstash:
  hosts: ["localhost:5044"]
output.console:
  enabled: false

and pipeline.conf like this:

input {

beats {
        port => "5044"
    }

}
filter {
    grok {
        match => { "message" => "%{LOGGERLEVEL:log}%{LOGTYPE:k}%{TIMESTAMP_ISO8601:datetime}%{GREEDYDATA:data}"}
    }
    date {
        match => ["datetime", "ISO8601"]
        timezone => TIMEZONE
    }

}
output {

    elasticsearch {
    	index => "%{[fields][index]}"
        hosts => ["localhost:9200"]
    }

}

recently this approach worked just fine when I had one file in a folder, but now I have two or three files in a folder. How can I extract the filename and use it as index?

guyboertje · April 18, 2018, 8:29am

The event should have a source field.

You can use this field index => "%{[source]}"

system · May 16, 2018, 8:30am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Best practice for setting index names when using filebeats to logstash Beats filebeat	3	2196	March 4, 2018
Problem creating dynamic index from filename (filebeat) Logstash	7	775	March 23, 2020
Create an index with log.file.path field Beats filebeat	3	418	June 7, 2020
Using filename from filebeat in index pattern Beats filebeat	2	2026	October 18, 2016
How to put each file name as index name to store Elasticsearch via Filebeat Beats filebeat	2	633	December 28, 2022

How to use filename as index wiht beats input

Related topics