elasticsearch {
hosts => ["localhost:9200"]
index => "logstash-%{[host][hostname]}%{+YYYY.MM.dd}"
}
but have
The syntax is correct... (even though I think you want another - between the hostname and date)
What you are seeing is when that field does not exist / logstash is not able to get the host name from the host or for some reason your pipeline has corrupted or deleted that field.
When logstash can not access the fields is substitutes the literal.
If you do a simple in the output you will see the fields you can work with.
stdout {}
Somtime that field ends up in [host][name]
i've resolved with
index => "logstash-%{[host][name]}%{+YYYY.MM.dd}"
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.