Logstash different index names per input?

agonzalez · October 12, 2016, 12:59pm

I have this logstash config but beats documents get created with index "log-2016.10.12" that is the document_tpye instead of filebeat-xxx. Any idea on how i can set the index name to filebeat and snmptrap index to snmptrap?

input {
        beats {
                type => "filebeat"
                port => 5044
        }

        snmptrap {
                type => "snmptrap"
                community => "public"
                port => 8162
        }
}

### Add your filters / logstash plugins configuration here

filter {
  if "_grokparsefailure" in [tags] {
        drop {}
  }
}

output {
        elasticsearch {
                hosts => "elasticsearch:9200"
                user => "elastic"
                index => "%{type}-%{+YYYY.MM.dd}"
        }
}

caecilie · October 12, 2016, 1:17pm

index => "%{[@metadata][type]}-%{+YYYY.MM.dd}"

I had the same idea a few hours ago

agonzalez · October 12, 2016, 4:32pm

but for smtptraps input metadata type is not set, isnt it? I want to set different index for smtptraps filebeat and metricbeat.

caecilie · October 13, 2016, 6:28am

I only use filebeat, try:
index => "%{[type]}-%{+YYYY.MM.dd}"

agonzalez · October 13, 2016, 10:47am

No, it doesnt work, still create log-2016.10.13 index. Any one else?

caecilie · October 13, 2016, 11:18am

Try to set the document_typ in filebeat to "filebeat", default is log
https://www.elastic.co/guide/en/beats/filebeat/current/configuration-filebeat-options.html

agonzalez · October 13, 2016, 11:19am

is there a way to set document_type globalyl in filebeat? I have like 40 prospectors and dont want to include it on each of them.