I just upgraded to version 5. Currently i am using Filebeat to send loglines into logstash which ill in turn filter the data and pass the document into elasticsearch. Now, I am hoping to use the elasticsearch ingest node in place of logstash (i.e. filebeat -> ingest node).
I understand that by using the ingest nodes, i will have to specify the rules and patterns in the pipeline processors. However, i cant seem to find any documentation regarding what index will my document(s) be sent to.
Is it possible for me to define which index to store the document? I want to define it according to the value from a field (i.e. timestamp)
So filebeat will send data to filebeat-YYYY-MM-DD.
To do that it will use a ?pipeline=YOURPIPELINE http parameter.
The pipeline will index the document in the index this document is sent to. Here in filebeat-YYYY-MM-DD. Note that in a pipeline, you can change _index value which by default contains the index name where the document is supposed to be sent to.
The thing is that the logfile can contain messages from different days (i.e. different timestamp). Previously in logstash i could name my index dynamically depending on the value of the fields it receives. Is that possible in this case?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.