According to doc, the default name of index name would be:
The default is "filebeat-%{[agent.version]}-%{+yyyy.MM.dd}"
but I found the index name of auto created index is simply "filebeat-7.0.1".
I tried to add this line under output.elasticsearch but problem cannot be resolved.
index: "filebeat-%{[agent.version]}-%{+yyyy.MM.dd}"
Anyone has this experience? How to fix? Thanks.
Yep, you had an event where the @datestamp didn't grok. The fix depends on your data. I encountered it in Apache logs that appear to be from ddos attempts. I just added code something like if no @datestamp, make it "now".
I had extracted the filebeat ingest pipeline for use in logstash, but the same problem probably occurs if using ES ingest mode.
Also, if you have trouble seeing these events in Kibana, create a index pattern w/o using a timestamp. A name like "filebeat-7*" to be different from the "filebeat*" you probably have now.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.