Ingest pipeline - Override datastream

jeff.diademi · December 13, 2022, 8:05pm

Today, I'm ingesting logs from kubernetes containers pods using elastic agent kubernetes integration. It works fine.

Now, I have a use case which is the following:
Some specific logs records need to be ingested in another index, so I tried to override data_stream.dataset field in ingest pipeline: logs-kubernetes.container_logs@custom

The issue is the following mapping exception: org.elasticsearch.index.mapper.MapperParsingException: failed to parse field [data_stream.dataset] of type [constant_keyword] in document with id 'X3MRDYUBU7-AR-97HDwE'. Preview of field's value: 'my_test_app'

How could it be implemented?

Venkata_Raja · December 14, 2022, 6:18am

Hi Jeff,

Welcome to Community!

Constant keyword is a specialization of the keyword field for the case that all documents in the index have the same value.

It will not take multiple values .

And you cannot override the index in an integration.

Routing documents based on values within the documents is not possible with Elastic Agent. You would need Logstash in between doing that for you.
Because, the Elastic Agent has an API key and that API key allows it to only write to a certain datastream.

jeff.diademi · December 14, 2022, 6:48am

Ok, I understand, thanks for the reply.

Topic		Replies	Views
Data allways stack in field.keyword than field Kibana docker	9	548	September 9, 2022
Sending data to new Data Stream with Elastic Agent Elastic Agent	20	1521	March 26, 2024
Duplicate field.keyword and field in data stream within Observability Elasticsearch	2	727	September 1, 2022
Elastic agent override existing index/datastream Elastic Agent	6	215	August 20, 2024
Elasticsearch output for Elastic Agent - adding an ingest pipeline Beats elastic-agent , ingest-pipeline	5	3188	December 23, 2020

Ingest pipeline - Override datastream

Related topics