Output Elasticsearch index name error

Frack · May 3, 2021, 12:42pm

I have a "logstash" index with documents while I have hardcoded the name of the output index by the tags.

when I check in the index "logstash" my logs have the right tag "windows" or "iptable" ...
I added a final "else" to be sure
I have try with 7.12.0 and 7.12.1 with the same result
I don't find why I've got the logstash index.

my output.conf

output {
if "iptable" in [tags] {
elasticsearch {
index => "firewall"
hosts => ["http://elasticsearch:9200"]
}
}
else if "winlogbeats" in [tags] {
elasticsearch {
index => "winlogbeats"
hosts => ["http://elasticsearch:9200"]
}
}
else if "windows" in [tags] {
elasticsearch {
index => "windows"
hosts => ["http://elasticsearch:9200"]
}
}
else {
elasticsearch {
index => "notag"
hosts => ["http://elasticsearch:9200"]
}
}
}

Badger · May 3, 2021, 3:06pm

When ILM is enabled the index option on the output is ignored.

Frack · May 3, 2021, 4:53pm

Hello,
I have add ilm_enabled => "false" to all my output .
Now I have my notag index
but after remove all index and a full restart ELK

logstash |yellow|open|1|1|1965 |920.8kb
firewall|yellow|open|1|1 |6 |114kb
notag|yellow open |1 |1 | 1959| 882.9kb

The Logstash index seen to be a copy of all the other index...

Frack · May 4, 2021, 9:25am

Hello,
find the solution in the log.
there was in my pipeline a output.conf.bak before I try the index option.
So I've got 2 output really stupid and simple .

system · June 1, 2021, 9:25am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.