Logstash always creates elasticsearch indexes if they dont exist

I precreated Elasticsearch indexes with alias "logstash-beats" and "logstash-postgres" and that works fine with Logstash output.

However I would also like to completely disable logstash from creating new indexes at all (for when they have not yet been creaed) and for the life of me cannot find a combination of settings below to do that.

No matter which way I include these settings logstash still creates the indexes if they dont exist. Shouldnt having "manage_template => false" do the trick?

I also tried manage_template => "false" with no luck

  if [docker][container][labels][com_docker_compose_service] == "beats" {
      elasticsearch {
        hosts => ["elasticsearch7:9200"]
        manage_template => false
        template_overwrite => false
        template_name => "logstash-beats"
        ilm_enabled => false
        index => "logstash-beats"
      }
  }
  else if [docker][container][labels][com_docker_compose_service] == "postgres" {
        hosts => ["elasticsearch7:9200"]
        manage_template => false
        template_overwrite => false
        template_name => "logstash-postgres"
        ilm_enabled => false
        index => "logstash-postgres"
      }
  }
  else {
        null{}
  }

In your else if you don't have elasticsearch { which I don't know if it's your issue, but it is an issue.

  else if [docker][container][labels][com_docker_compose_service] == "postgres" {
     elasticsearch { <---------- THIS
        hosts => ["elasticsearch7:9200"]
        manage_template => false
        template_overwrite => false
        template_name => "logstash-postgres"
        ilm_enabled => false
        index => "logstash-postgres"
      }
  }

I would have thought the simplest solution would be to only write to the two indexes you want to have. Just do not set the index option to anything else.

You can turn off the automatic creation of indexes when written to in elasticsearch. See the Index API documentation and search for auto_create_index. Not sure what elasticsearch does if you set that. If it returns an error to logstash that may not help much.

If you are indexing Beats data, you really don't want to be putting everything into one big index without using ILM.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.