I am using the following logstash pipeline:
- pipeline.id: export-process
pipeline.workers: 4
config.string: |
input {
elasticsearch {
hosts => "http://elastic:80/elasticsearch/"
user => "elastic"
password => ""
ssl => "false"
index => "metricbeat-*"
docinfo => true
query => '{
"query": {
"bool": {
"filter": {
"range": {
"@timestamp": {
"gte": "now-35m",
"lte": "now",
"format": "strict_date_optional_time||epoch_millis"
}
}
}
}
}
}'
}
}
output {
file {
gzip => "true"
path => "/usr/share/logstash/export/export_%{[@metadata][_index]}.json.gz"
}
}
This however just creates raw blobs of json with no meta data surrounding the document such as the index it came from etc.