Hello all,
I'm currently trying to create a data stream with a corresponding ILM policy enabled, and then have Logstash to forward logs to that data stream.
See below steps I follow:
Create Component Template
PUT _component_template/comp_header_template
{
"template": {
"settings": {
"index.lifecycle.name": "pbheaderpolicy",
"index.lifecycle.rollover_alias": "header_stream"
}
}
}
Create Index Template
PUT _index_template/index_header_template
{
"index_patterns": ["header_stream*"],
"data_stream": { },
"composed_of": ["comp_header_template"],
"priority": 500
}
Mind that I have a customer ILM Policy created named pbheaderpolicy which is included inside the component template.
Logstash Output
elasticsearch {
hosts => ["https://es01:9200"]
user => "elastic"
password => "*****"
ssl_enabled => true
cacert => "/usr/share/logstash/certs/ca/ca.crt"
data_stream => "true"
data_stream_type => "logs"
data_stream_dataset => "header_stream"
data_stream_namespace => "development"
}
Logstash works without any errors, but the data stream is getting different index template and ilm policy, as per the below:
I have been trying multiple outputs on logstash, but apparently it doesn't seem to be working properly..
Any assistance or further guidance over this, would be highly appreciated!
Thanks in advance.