How to use grok to match filenames as indexes in logstash

ThePreMan · February 1, 2021, 1:14pm

We try to use developer names as indexes in logstash.
Therefore our filenames are something like: developer1.log
We have tried to use grok to match a certain part of the path as our filename. Nothing seems to be working-

We ship from filebeat to logstash.
This is our logstash conf.:

    input {
      beats {
        port => 5044
        client_inactivity_timeout => 84600
      }
    }
    filter {
      dissect {
        mapping => {
          "message" => "%{Index} %{timestamp} %{+timestamp} %{PTimestamp} %{Count} %{Ecuid} %{Apid} %{Ctid} %{SessionID} %{Type} %{Subtype} %{Mode} %{#Args} %{Payload}"
        }
      }
      grok { 
        match => ["path" => "/(?<filename>[^/]+).log" ]
      }
      mutate {
        convert => {
          "PTimestamp" => "integer"
          "Count" => "integer"
          "Index" => "integer"
          "#Args" => "integer"
        }
      }
      date {
        match  => [ "timestamp", "yyyy/MM/dd HH:mm:ss.SSSSSS" ]
      }
    }

    output {
      elasticsearch {
        hosts => ["http://elasticsearch-master:9200"]
        index => "%{filename}"
      }
    }

system · March 1, 2021, 1:15pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to use filename as index wiht beats input Logstash	2	1675	May 16, 2018
Problem creating dynamic index from filename (filebeat) Logstash	7	730	March 23, 2020
Use part of the log files name for the index? Logstash	3	616	September 23, 2020
Unable to index a file in elasticsearch Elasticsearch	6	1102	November 5, 2017
Filebeat-* as Index in Elasticsearch Input plugin in Logstash Config Logstash	1	186	October 25, 2022

How to use grok to match filenames as indexes in logstash

Related topics