Logstash index format interpreted literally

vinci · September 30, 2020, 7:48am

Hello,

I've created several indices with logstash using the following settings:

output
{
        stdout {
                codec => dots
        }

        elasticsearch {
                hosts => ["http://192.168.99.18:9200"]
                index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
                user => "elastic"
                password => "password"
        }
}

The problem is that I ended up literally with this format in elasticsearch:

%{[@metadata][beat]}-%{[@metadata][version]}-2014.06.26
%{[@metadata][beat]}-%{[@metadata][version]}-2014.06.03
%{[@metadata][beat]}-%{[@metadata][version]}-2014.06.25
etc.

Does anyone know where the problem lies and how I can make logstash interpret the variables correctly?

Thanks.

kavierkoo · September 30, 2020, 12:01pm

Hi, What is your logstash version?
For debugging, I would try to add below to output to see what are the fields available.

  stdout {
    codec => rubydebug { metadata => true }
  }

vinci · September 30, 2020, 12:20pm

Version 7.7.1 So is elastisearch also.
The debug output I'm supposed to see directly in the logstash logs under /var/log, right? (logstash is installed directly on the host).

kavierkoo · September 30, 2020, 12:41pm

codec => rubydebug will only print on screen.

If you want it to store in files, you will have to use file plugin

output {
 file {
   path => /tmp/my_output_text_file
   codec => rubydebug { metadata => true }
 }
}

Referring Link from:

system · October 28, 2020, 12:41pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.