Problem creating dynamic index from filename (filebeat)

Amine_Maalfi · February 21, 2020, 8:59am

Hello,

i am trying to create index name same as filename from source but it doesn't seem to work, here's my logstash config file :

   input {
      beats{
     port=> 5044
     }
   }

     filter {

     grok {
          match => ["source",".*\\%{GREEDYDATA:app_name}"]
       }
   }

     output {

       stdout {
         codec => rubydebug
          }


         elasticsearch {
          hosts => ["localhost:9200"]
      index => "%{app_name}"
       }
   }

Badger · February 21, 2020, 3:20pm

What do you see on stdout and what makes you think it is not working?

Amine_Maalfi · February 21, 2020, 3:21pm

the index name i get is exactly %{app_name}

Badger · February 21, 2020, 3:32pm

OK, so there is no [app_name] field on the event.

Amine_Maalfi · February 24, 2020, 7:44am

there is actually! and i also tried many fields that 100% exist but still it doesn't work

Amine_Maalfi · February 24, 2020, 8:04am

here's the pattern test:

pattern

Amine_Maalfi · February 24, 2020, 9:31am

I've found the solution, i have used [log][file][path] instead of source and i used mutate to transform it to lowercase, now it's creating indexes based on the source filename.

system · March 23, 2020, 9:31am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Unable to index a file in elasticsearch Elasticsearch	6	1102	November 5, 2017
Index creation based on file name Logstash	4	3787	October 19, 2017
Not getting dynamic index in elasticsearch using logstash Logstash	9	2624	May 18, 2017
Filebeat dynamic indices name Beats filebeat	2	568	March 25, 2021
Index naming problem Logstash	2	1516	February 13, 2018

Problem creating dynamic index from filename (filebeat)

Related Topics