Multiple indexes multiple tag

Elastic Stack Kibana
1

Hello,
I divide my log in different index using event.module value

indices:
    - index: "filebeat-system-%{+yyyy.MM.dd}"
      when.equals:
        event.module: "system"
    - index: "filebeat-apache-%{+yyyy.MM.dd}"
      when.equals:
        event.module: "apache"

It is possibile at this level apply tags or field?
example

indices:
    - index: "filebeat-system-%{+yyyy.MM.dd}"
      when.equals:
        event.module: "system"
      tags: ["system"] 
    - index: "filebeat-apache-%{+yyyy.MM.dd}"
      when.equals:
        event.module: "apache"
      tags: ["apache"]

Thanks for your time
best regards

2

Hi, I'm not sure how this question ended up under the Kibana topic. What tool uses the configuration that you have provided? I might be able to help, but you can probably get better help from the experts of that tool.

3

Thanks for your time, I'm collecting log using Filebeat and I split data in different index using event.module, I would to apply also a custon tag or/and a field to the log es. tag system for index filebeat-systemXYZ or tag apache for index filebeat-apacheXYZ.

Thanks for your time

4

Hi, you should look for information about enhancing the data in filebeat before sending it to the output.

I'm not sure if you found the right documentation on defining processors that do this, but you can check here: Define processors | Filebeat Reference [7.16] | Elastic

It looks like the type of processor you'll want to use is add_fields: Add fields | Filebeat Reference [7.16] | Elastic

If you still get stuck, I recommend moving this question to the Observability > Logs area: Logs - Discuss the Elastic Stack

5

Thanks for your Help
it is a good solution to my problem.

Thanks again
best regards

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.