Modify netflow index creation name

Ryne_Keel · March 20, 2019, 3:55pm

I am running into an issue where my netflow index template is called netflow, with index pattern netflow-*. When a new index is created, it is called netflow-date.

I created a lifecycle rollover policy for this index template, but when I add the alias netflow-00001, I get the following error from the lifecycle policy:

illegal_argument_exception: index name [netflow-2019.03.20] does not match pattern '^.*-\d+$'

I am trying to find out how to tell the system to name new index create with the netflow template to be named netflow-date-1 and also to make the aliases called netflow-date-1, so that the number increments each time the index is rolled over into an alias name.

Our netflow data is 200+GB per day generated from roughly 5TB of bandwidth

I found a file called /usr/share/logstash/modules/netflow/configuration/elasticsearch/netflow.json

I tried adding the alias to the end of the file, which doesn't seem to affect newly created or existing indecies. I also don't see anywhere in the file to modify the naming convention of the newly created index to be netflow-date-1

Ryne_Keel · March 22, 2019, 5:07pm

My colleague looked through source code and found a variable that we were able to use in the logstash.yml file to solve the problem.

# ------------ Module Settings ---------------
modules:
  - name: netflow
    var.input.udp.port: "2055"
    var.kibana.host: "192.168.99.49:5601"
    var.elasticsearch.hosts: "192.168.50.240:9200"
    var.elasticsearch.index_suffix: "%{+YYYY.MM.dd}-1"


    var.elasticsearch.index_suffix: "%{+YYYY.MM.dd}-1"

system · April 19, 2019, 5:07pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.