Ingest Pipeline

Elastic Stack Elasticsearch
1

Hi,

I have am ingest pipeline that set within Elasticsearch ingest node, that takes the message field from a log file and splits it out.

During this I pull out the date which looks fine when it hits the document, but the index pattern is setting it as a string and not a date. is the a way I can get it to set as a date?

[
  {
    "grok": {
      "field": "message",
      "patterns": [
        "%{YUMTIMESTAMP:yum.date} %{NOTSPACE:yum.state} %{NOTSPACE:yum.package}"
      ],
      "pattern_definitions": {
        "YUMTIMESTAMP": "%{MONTH} +%{MONTHDAY} %{TIME}"
      },
      "description": "Yum entry"
    }
  },
  {
    "date": {
      "field": "yum.date",
      "formats": [
        "MMM dd HH:mm:ss"
      ],
      "target_field": "yum.datetime"
    }
  }
]
2

You need to define the mapping for your index and set the field as a date field.

3

Thank you for coming back to me.

I haven't carried out a mapping before, where is this setup?

4

And

You can GET your current mapping using

GET /yourindexname

And the adjust from there.

5

Thanks @stephenb - As im pulling the data in through filebeat, wil i need to update the mapping on every new index created for each release e.g. filebeat-7.11 then filebeat-7.12?

6

No you will use an index template :slight_smile: that matches the pattern of indices like

my-filebeat-*

Think of a template as a mapping (and settings) that get applied to any index name that matches a pattern

7

Thanks. Had to wing it a little but got it working with your help :slight_smile: