Packetbeat invalid_index_name

james777 · November 25, 2016, 4:50am

Hi,
I am trying to run packetbeat 5.0.1 in centos 6, while running I am getting the below error log
2016-11-25T13:20:01+09:00 WARN Can not index event (status=400): {"type":"invalid_index_name_exception","reason":"Invalid index name [packetbeat-2016.11.25.PM], must be lowercase","index_uuid":"na","index":"packetbeat-2016.11.25.PM"}
2016-11-25T13:20:01+09:00 WARN Can not index event (status=400): {"type":"invalid_index_name_exception","reason":"Invalid index name [packetbeat-2016.11.25.PM], must be lowercase","index_uuid":"na","index":"packetbeat-2016.11.25.PM"}
2016-11-25T13:20:01+09:00 WARN Can not index event (status=400): {"type":"invalid_index_name_exception","reason":"Invalid index name [packetbeat-2016.11.25.PM], must be lowercase","index_uuid":"na","index":"packetbeat-2016.11.25.PM"}
2016-11-25T13:20:01+09:00 WARN Can not index event (status=400): {"type":"invalid_index_name_exception","reason":"Invalid index name [packetbeat-2016.11.25.PM], must be lowercase","index_uuid":"na","index":"packetbeat-2016.11.25.PM"}

in my packetbeat.yml I have specified elasticsearch

output.elasticsearch:
index: "packetbeat-%{+yyyy.MM.dd.aa}"

I am not sure what I am doing, any idea?
Thank you!

magnusbaeck · November 25, 2016, 5:10am

As the error message says, index names must be lowercase. Apparently you can't use "aa" in index name patterns. Do you really need to split each day's index in two?

james777 · November 25, 2016, 7:38am

yes, It has to be separated for storage capacity

magnusbaeck · November 25, 2016, 7:40am

How big would a daily index be? Perhaps you can do hourly indexes?

system · December 23, 2016, 7:41am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.