Issue with the indices field of elasticsearch output

YLombardi · December 20, 2016, 10:36am

I'm trying to send my logs to multiple indices based on a field value.
In the documentation, it says that I can do this by using the "indices" field in the elasticsearch output : https://www.elastic.co/guide/en/beats/filebeat/5.0/elasticsearch-output.html#_indices

To tests this, I add to my filebeat.yml :
indices:
- index: "critical-%{+yyyy.MM.dd}"
when.contains:
message: "CRITICAL"
- index: "error-%{+yyyy.MM.dd}"
when.contains:
message: "ERR"

Now I restart filebeat and it fails with this error :
Exiting: error loading config file: yaml: line 313: found character that cannot start any token

Line 313 is the line where I add the "indices" field.
I don't find what error I did. I just copy/paste the exemple from the documentation.

Can someone help me with this ?

steffens · December 20, 2016, 11:42am

the YAML parser is failing on your configuration. YAML is sensitive to indentation. The config file by default uses 2 spaces per level.

You can test your yaml with http://www.yamllint.com .

Please format configs using the </>-button. Having a syntax error in your config, we will need to see the complete config.

YLombardi · December 20, 2016, 12:44pm

Thanks, that was that. An indentation error.
Now it works.

system · January 17, 2017, 12:44pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.