Logstash elasticsearch output, expand variables in data stream parameters

ebourlon · June 8, 2021, 9:39am

Hello,

I am using logstash 7.13.1 that has support for datastreams in the elasticsearch output.
As far as I looked at it is not possible to specify a variable in one of the datastream related parameter like below:

  elasticsearch {
	hosts => "localhost"
	data_stream => "true"
	data_stream_type => "metrics"
	data_stream_dataset => "iib"
	data_stream_namespace => "%{[@metadata][namespace]}"
  }

This will use "%{[@metadata][namespace]}" as a string.
Am I correct? Maybe an e.sprintf() to add there?

Br,

Badger · June 8, 2021, 8:02pm

Take a look at data_stream_auto_routing. Looking at the code it expects a field called [data_stream]

{ "data_stream": { "type": "foo", "dataset": "bar", "namespace": "baz" } }

You could build that using sprintf references in a mutate filter.

ebourlon · June 9, 2021, 6:13am

Thanks. This is indeed the solution.
That's what's happening when people don't read the manual

system · July 7, 2021, 6:13am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.