@sumanbehara
In order to empower others to help in a forum, it's a good idea to always provide the following when asking for help:
- what you tried (including relevant configurations)
- what you expected to happen (and why you expected this, if possible)
- what actually happened
The index
property of logstash-output-elasticsearch
uses Logstash's sprintf format, meaning it can use context from each event to produce its value; when this format string includes a date-format, Logstash automatically pulls from the @timestamp
field, so if we can populate @timestamp
with the value of date
, or if we can reference a field that already has the right format, we'll be all set.
We have two options:
- overwrite the
@timestamp
with the value from our date
field; OR
- pre-generate a formatted string into our
@metadata
, and reference it when building the index name template
Overwriting @timestamp
It looks like your current @timestamp
is being automatically filled in with the current time; is it okay to overwrite this? If so, adding a mutate filter above your output to rename date
to @timestamp
might be helpful:
# ...
filter {
mutate {
rename { "date" => "@timestamp" }
}
}
# ...
Then we could use the built-in formatters when building the index pattern; for example, if our event's @timestamp
was 2016-05-23T10:42:03.568Z
, an Elasticsearch output configured like so would put the event in index something-2016-05-23
:
# ...
output {
elasticsearch {
index => "something-%{+yyyy-MM-dd}"
# ...
}
}
Pre-generating a formatted string
If it's not okay to overwrite the @timestamp
, then we may need to use a filter like wiibaa's logstash-filter-date_formatter
, a well-tested community-contributed filter that can combine any timestamp field with a format specification to place a string representation in the event's metadata:
# ...
filer {
date_formatter {
source => "date"
target => "[@metadata][date]"
pattern => "YYYY-MM-dd"
}
}
output {
elasticsearch {
index => "something-%{[@metadata][date]}"
# ...
}
}
The internal representation of the date
field in your rubydebug
output is an object that fully defines that exact moment in time down to the millisecond, which is great -- we can format it however we want (the rubydebug output just happens to print it as ISO8601).
In the Elastic Stack, we have a convention where the @timestamp
is a little bit special, so it would be convenient if we could populate it with the value from your date
field:
output {
elasticsearch {
index => "something-%{+yyyy-MM-dd}"
}
}