Problem creating dynamic index from filename (filebeat)

Amine_Maalfi · February 21, 2020, 8:59am

Hello,

i am trying to create index name same as filename from source but it doesn't seem to work, here's my logstash config file :

   input {
      beats{
     port=> 5044
     }
   }

     filter {

     grok {
          match => ["source",".*\\%{GREEDYDATA:app_name}"]
       }
   }

     output {

       stdout {
         codec => rubydebug
          }


         elasticsearch {
          hosts => ["localhost:9200"]
      index => "%{app_name}"
       }
   }

Badger · February 21, 2020, 3:20pm

What do you see on stdout and what makes you think it is not working?

Amine_Maalfi · February 21, 2020, 3:21pm

the index name i get is exactly %{app_name}

Badger · February 21, 2020, 3:32pm

OK, so there is no [app_name] field on the event.

Amine_Maalfi · February 24, 2020, 7:44am

there is actually! and i also tried many fields that 100% exist but still it doesn't work

Amine_Maalfi · February 24, 2020, 8:04am

here's the pattern test:

pattern

Amine_Maalfi · February 24, 2020, 9:31am

I've found the solution, i have used [log][file][path] instead of source and i used mutate to transform it to lowercase, now it's creating indexes based on the source filename.

Topic		Replies	Views
Best practice for setting index names when using filebeats to logstash Beats filebeat	3	2213	March 4, 2018
How to use filename as index wiht beats input Logstash	2	1695	May 16, 2018
Logtash adding filename as index name Logstash	4	5004	June 8, 2018
Logstash - Get index name from filename Logstash	4	3420	February 4, 2020
How to put each file name as index name to store Elasticsearch via Filebeat Beats filebeat	2	651	December 28, 2022

Problem creating dynamic index from filename (filebeat)

Related topics