Possible to add to @metadata?

whitej · February 24, 2016, 1:41pm

Is it possible to add information to the @metadata field? Or perhaps there's a better way to accomplish what I'm trying to do.

I have multiple prospectors set up on each machine. Each prospector is consuming logs from specific applications of the system. On each prospector, I've configured the document_type to describe the log file I'm consuming. They are basically named like this: "muffin_debuglog", "biscuit_debuglog", "jelly_debuglog", etc. My logstash output is sending all these into one index since my output is straight out of the example documentation:
output { elasticsearch { hosts => "localhost:9200" manage_template => false index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}" document_type => "%{[@metadata][type]}" } }

My thinking was that I could do something like this: index => "%{[@metadata][beat]}-%{[@metadata][application_name]}-%{+YYYY.MM.dd}"

magnusbaeck · February 24, 2016, 1:42pm

The fields option in the Filebeat configuration can be used to add arbitrary additional fields to events.

whitej · February 24, 2016, 1:44pm

I saw that in the configuration and thought "maybe this is the way to go". So I would add a fields: declaration to my filebeat yaml. Easy. In the output section of the Logstash configuration, would it just be something like %{[fields][application_name]}?

magnusbaeck · February 24, 2016, 1:47pm

Something like that, obviously depending on the actual name of the field.

whitej · February 24, 2016, 1:49pm

Excellent. Thank you for the assist. Gonna go give this a go. What's the worst that could possibly happen, right?