trying to accomplish:
index: "filebeat-%{[beat.version]}-%{[tags]}-%{+yyyy.MM.dd}"
my prospector looks similar to this:
- type: log
enabled: true
paths:
- /var/log/auth.log
tags: auth
exclude_files: ['\.gz$']
fields_under_root: true
However i'm getting this when trying to start up filebeat:
2018-06-22T18:20:34.797Z WARN fmtstr/formatevents.go:398 Can not convert key '[auth]' value to string
On filebeat 6.2.2
Any thoughts? I'm truly stuck.
Hi @hobapolis,
tags is an array, and it cannot be used in variable substitution for the index name. You can add a custom field and use this field, something like this:
- type: log
enabled: true
paths:
- /var/log/auth.log
fields:
index: auth
exclude_files: ['\.gz$']
And then:
index: "filebeat-%{[beat.version]}-%{[fields.index]}-%{+yyyy.MM.dd}"
Another option is to use indices instead of index, that allows to define more advanced rules for index selection, you'd have to replace your index with something like:
indices:
- index: "filebeat-%{[beat.version]}-auth-%{+yyyy.MM.dd}"
when.contains:
tags: "auth"
Thanks @jsoriano. I came to the realization that tags wasn't going to be a thing for me not long after I posted this question.
I did something very similar to your first suggestion. I ended up just creating a custom field called index_name.
Take care.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.