Logstash cannot use docker metadata to build a dynamic index

ktpktr0 · April 23, 2021, 4:00am

I use filebeat to collect docker logs and add a label when the docker container starts.

- type: docker
  enabled: true
  containers.ids:
    - '*'  
  tail_files: true

The following configuration is made in logstash to build a dynamic index.

filter {
     json {
       source => "message"
   }
}

output {
    elasticsearch {
        hosts => ["192.168.6.155:9200","192.168.6.156:9200","192.168.6.157:9200"]
        ssl => true
        cacert => "/etc/logstash/ssl/root.pem"
        index => "%{[container.labels.service]}-%{+YYYY.MM.dd}"
    }
}

But I failed and got the following index

leandrojmp · April 23, 2021, 4:46am

You should use [container][labels][service] and not [container.labels.service].

Try to change the index option in your output to this:

index => "%{[container][labels][service]}-%{+YYYY.MM.dd}"

ktpktr0 · April 23, 2021, 5:05am

I tried to follow your example, and I got the following results：

%{[container][labels][service]}-2021.04.23

ktpktr0 · April 25, 2021, 6:23am

After many tests, I solved the problem, it needs to meet some conditions. Thank you very much for your help

system · May 23, 2021, 6:23am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.