Prevent filebeat-version-yyyy-mm-dd index from ingesting

On daily basis i am seeing indexes with name filebeat-7.17.7-yyyy-mm-dd are creating. This is eating lot of space i have to delete them manually.

  1. I Have seen options like to create entry in ES which will not allow auto index => if i enable this then ILM will not work.

Is there any better option to stop this entirely?

Can you stop them at the source?

actually i am not seeing anything about it on filebeat.yml file.

What does your filebeat.yml looks like?

Is this the only filebeat you have?

If you do not want the data you need to stop it in the source.

here is the file.

- type: log
  enabled: true
    - /var/log/*/*/*/*.log
          type: demo_logs
# ---------------------------- Elasticsearch Output ----------------------------
  # Array of hosts to connect to.
  #hosts: ["ip:9200"]

# ------------------------------ Logstash Output -------------------------------
  # The Logstash hosts
        hosts: ["ip:5044"]
# ================================= Processors =================================
  - add_host_metadata:
      when.not.contains.tags: forwarded
  - add_cloud_metadata: ~
  - add_docker_metadata: ~
  - add_kubernetes_metadata: ~
  - drop_event:
                          message: INFO

rest of fields are commented out.

You are sending your logs to Logstash, so you need to look check and share your logstash configuration.

Also, you didn't say if you are running other filebeats or just this one.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.