Data is sourced from filebeat and packetbeat with add_kubernetes_metadata and passed to logstash, using the logstash helm chart.
In logstash, I want the logs to be output to an elasticsearch index, named based on a kubernetes metadata tag ({[kubernetes][labels][app]}) but there have been a few deployments in kubernetes that were not tagged with app, causing a large amount of data to pile up in indices named with a literal "[kubernetes][labels][app]" (e.g. "logstash-production_us-east-1-00_filebeat-%{[kubernetes][labels][app]}-2020.01.20" instead of "logstash-production_us-east-1-00_filebeat-someapp-2020.01.20") instead of the correct tag - in these cases, where this metadata field is missing, I would like to use another field instead (e.g. {[kubernetes][labels][name]})
Logstash config:
outputs:
main: |-
output {
elasticsearch {
hosts => ["${ELASTICSEARCH_HOST}:${ELASTICSEARCH_PORT}"]
manage_template => false
#index => "logstash-production_us-east-1-00_%{[@metadata][beat]}-%{+YYYY.MM.dd}"
index => "logstash-production_us-east-1-00_%{[@metadata][beat]}-%{[kubernetes][labels][app]}-%{+YYYY.MM.dd}"
#document_type => "%{[@metadata][type]}"
document_type => "_doc"
}
}