Index by hostname?

Nikolas1306 · October 21, 2022, 10:34am

      elasticsearch {
			hosts => ["localhost:9200"]
                      
			index =>  "logstash-%{[host][hostname]}%{+YYYY.MM.dd}"
		 }

but have

stephenb · October 21, 2022, 10:52pm

The syntax is correct... (even though I think you want another - between the hostname and date)

What you are seeing is when that field does not exist / logstash is not able to get the host name from the host or for some reason your pipeline has corrupted or deleted that field.

When logstash can not access the fields is substitutes the literal.

If you do a simple in the output you will see the fields you can work with.

stdout {}

Somtime that field ends up in [host][name]

Nikolas1306 · October 22, 2022, 7:14am

i've resolved with

index => "logstash-%{[host][name]}%{+YYYY.MM.dd}"

system · November 19, 2022, 7:14am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash EXEC input Logstash	4	512	March 26, 2020
An index per host Logstash	3	763	December 8, 2018
Indices names missing timestamp Logstash	4	566	December 19, 2019
Custom logstash index name output to ES Logstash	2	2394	July 5, 2017
Default Index Pattern (logstash-yyyy.MM.dd) Failing Logstash	8	928	October 25, 2022

Index by hostname?

Related topics