Logstash cannot use docker metadata to build a dynamic index

ktpktr0 · April 23, 2021, 4:00am

I use filebeat to collect docker logs and add a label when the docker container starts.

- type: docker
  enabled: true
  containers.ids:
    - '*'  
  tail_files: true

The following configuration is made in logstash to build a dynamic index.

filter {
     json {
       source => "message"
   }
}

output {
    elasticsearch {
        hosts => ["192.168.6.155:9200","192.168.6.156:9200","192.168.6.157:9200"]
        ssl => true
        cacert => "/etc/logstash/ssl/root.pem"
        index => "%{[container.labels.service]}-%{+YYYY.MM.dd}"
    }
}

But I failed and got the following index

leandrojmp · April 23, 2021, 4:46am

You should use [container][labels][service] and not [container.labels.service].

Try to change the index option in your output to this:

index => "%{[container][labels][service]}-%{+YYYY.MM.dd}"

ktpktr0 · April 23, 2021, 5:05am

I tried to follow your example, and I got the following results：

%{[container][labels][service]}-2021.04.23

ktpktr0 · April 25, 2021, 6:23am

After many tests, I solved the problem, it needs to meet some conditions. Thank you very much for your help

Topic		Replies	Views
Filebeat failed to inject events in dynamic index name having docker metadata Beats filebeat	1	832	February 13, 2019
How to filter when dynamic index has no value Logstash docker	4	335	May 23, 2021
Docker hints based autodiscover custom label Beats filebeat	2	388	October 23, 2019
How to create container name specific indexes Logstash docker	1	271	August 16, 2023
Filebeat config using Docker labels as index and pipeline names Beats docker , filebeat	1	396	November 19, 2020

Logstash cannot use docker metadata to build a dynamic index

Related topics