Logstash index naming pattern - use of an alternate tag if one is missing

Data is sourced from filebeat and packetbeat with add_kubernetes_metadata and passed to logstash, using the logstash helm chart.

In logstash, I want the logs to be output to an elasticsearch index, named based on a kubernetes metadata tag ({[kubernetes][labels][app]}) but there have been a few deployments in kubernetes that were not tagged with app, causing a large amount of data to pile up in indices named with a literal "[kubernetes][labels][app]" (e.g. "logstash-production_us-east-1-00_filebeat-%{[kubernetes][labels][app]}-2020.01.20" instead of "logstash-production_us-east-1-00_filebeat-someapp-2020.01.20") instead of the correct tag - in these cases, where this metadata field is missing, I would like to use another field instead (e.g. {[kubernetes][labels][name]})

Logstash config:

outputs:
  main: |-
    output {
      elasticsearch {
        hosts => ["${ELASTICSEARCH_HOST}:${ELASTICSEARCH_PORT}"]
        manage_template => false
        #index => "logstash-production_us-east-1-00_%{[@metadata][beat]}-%{+YYYY.MM.dd}"
        index => "logstash-production_us-east-1-00_%{[@metadata][beat]}-%{[kubernetes][labels][app]}-%{+YYYY.MM.dd}"
        #document_type => "%{[@metadata][type]}"
        document_type => "_doc"
      }
    }

For the config of yours you can do the check:

if [kubernetes][labels][name]{
      elasticsearch {
        hosts => ["${ELASTICSEARCH_HOST}:${ELASTICSEARCH_PORT}"]
        manage_template => false
        #index => "logstash-production_us-east-1-00_%{[@metadata][beat]}-%{+YYYY.MM.dd}"
        index => "logstash-production_us-east-1-00_%{[@metadata][beat]}-%{[kubernetes][labels][app]}-%{+YYYY.MM.dd}"
        #document_type => "%{[@metadata][type]}"
        document_type => "_doc"
      }
}
else {
      elasticsearch {
        hosts => ["${ELASTICSEARCH_HOST}:${ELASTICSEARCH_PORT}"]
        manage_template => false
        index => "logstash-production_us-east-1-00_%{[@metadata][beat]}-%{+YYYY.MM.dd}"
        #document_type => "%{[@metadata][type]}"
        document_type => "_doc"
      }
}

Would you consider to run ILM? Looks more logical for your use case.
For 7.X ES version you dont have to use document_type anymore.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.