Hello,
i am trying to create index name same as filename from source but it doesn't seem to work, here's my logstash config file :
input {
beats{
port=> 5044
}
}
filter {
grok {
match => ["source",".*\\%{GREEDYDATA:app_name}"]
}
}
output {
stdout {
codec => rubydebug
}
elasticsearch {
hosts => ["localhost:9200"]
index => "%{app_name}"
}
}What do you see on stdout and what makes you think it is not working?
the index name i get is exactly %{app_name}
OK, so there is no [app_name] field on the event.
there is actually! and i also tried many fields that 100% exist but still it doesn't work
here's the pattern test:
I've found the solution, i have used [log][file][path] instead of source and i used mutate to transform it to lowercase, now it's creating indexes based on the source filename.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.