Part of the indices are created with this name "%{[kubernetes][namespace]}"

Hi Team,

I am using this configuration for logstash:

input
{
  beats {port => 6600
      type => "K4"
      codec => "json"
  }
}
filter
{
 if [type] == "K4"
     { json {source => "message"} }
}

output
{
 if [type] == "K4"
{ elasticsearch
      { hosts => ["very.nice.url:9200"]
        index => "%{[kubernetes][namespace]}-%{+YYYY.MM.dd}"
        cacert => "/etc/elasticsearch/root-ca.pem"
        user => "great_user_name"
        password => "great_password"
        ssl => true
        ssl_certificate_verification => false
}
}
}

and here is the filebeat configuration

filebeat.inputs:
- type: container
  paths:
    - /var/log/containers/*.log
  processors:
    - add_kubernetes_metadata:
        host: ${NODE_NAME}
        matchers:
        - logs_path:
            logs_path: "/var/log/containers/"
processors:
  - add_cloud_metadata:
  - add_host_metadata:
cloud.id: ${ELASTIC_CLOUD_ID}
cloud.auth: ${ELASTIC_CLOUD_AUTH}
output.logstash:
  hosts: ['logstash-prod.service.consul:6600']
#      username: ${ELASTICSEARCH_USERNAME}
#      password: ${ELASTICSEARCH_PASSWORD}

many indexes are created correctly, but also many indexes are created like these:

  • %{[kubernetes][namespace]}-2021.03.14
  • %{[kubernetes][namespace]}-2021.03.15
  • %{[kubernetes][namespace]}-2021.03.16

any idea what is the reason here?

I wanted to comment this topic but it was closed

Look at the documents in that index. Do any of them have a field called [kubernetes][namespace]? If not, that is what causes them to be named that way.

The indentation of the second processors: option looks wrong to me, and yaml is notoriously picky about indentation. In fact the existence of a second processors: option looks wrong.

look like removing the 2nd processors and make its content indented correctly solved it

Thanks!!!

I thought it solved the issue, but it didn't.

here is the updated filebeat.yaml

apiVersion: v1
data:
  filebeat.yml: |-
    filebeat.inputs:
    - type: container
      paths:
        - /var/log/containers/*.log
      processors:
        - add_kubernetes_metadata:
            host: ${NODE_NAME}
            matchers:
            - logs_path:
                logs_path: "/var/log/containers/"
        - add_cloud_metadata:
        - add_host_metadata:

    cloud.id: ${ELASTIC_CLOUD_ID}
    cloud.auth: ${ELASTIC_CLOUD_AUTH}
    output.logstash:
      hosts: ['10.16.14.31:6600','10.16.14.36:6600','10.16.14.43:6600','10.16.14.45:6600']

any idea what could it be?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.