Logstash and filebeat data streams

gborg · September 15, 2022, 9:17am

Hello

I have a setup where I run filebeats, which send their logs to a queue, logstash reads off the queue and writes the data to elasticsearch.

With version 7 I had no issues, I recently upgraded to elasticsearch to elasticsearch 8 and was going to start updating the beats, where I ran into a problem

The default behaviours of beats (when connected directly to elasticsearch) is to write to the datastram "%{beat-name}-%{beat-version", "filebeat-8.4.1" for example

And i want to use the standard datastream format with my beats data but I can't since the logstash output only supports writing datastreams in the "%{type}-%{dataset}-%{namespace}" format, "logs-default-generic" for example

How can I use logstash and the standard datastreams together ?

gborg · September 15, 2022, 1:24pm

I mangaged to solve it

by not setting the elasticsearch output as a datastream, specifying the action and the index name

 elasticsearch {
                        [.....]
                        action => "create"
                        index => "%{[@metadata][beat]}-%{[@metadata][version]}"
 }

system · October 13, 2022, 1:25pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat - Datastreams? Beats filebeat	2	1310	November 22, 2021
Auditbeat >=8, logstash, and elasticsearch data stream Logstash	3	414	July 5, 2023
Filebeat --> Logstash works but directly to Elasticsearch = nothing Beats filebeat	5	542	April 10, 2018
How to point Filebeat to send data to existing data stream in Elasticsearch? Beats beats-module	1	579	January 19, 2023
Filebeat's module using Logstash Beats filebeat	6	3703	November 30, 2017

Logstash and filebeat data streams

Related topics