Question Regarding `index` in logstash elasticsearch output plugin

shreyask · January 25, 2018, 2:25am

I am using logstash elasticsearch output plugin to create time based indices.
I create index patterns in the following way currently:

output {
# other settings
index => "server-netlogs-%{+YYYY.MM.dd}" 
}

The events which I want to index have @timestamp field on them which represents the source of truth. But the %{+YYYY.MM.dd} used in creating the index pattern uses the current timestamp of the instance logstash is running on.

I wanted to know if it is possible to use @timestamp for the index as in my case real timestamp != timestamp on the event and I want the timestamp in the event to be used to index the data in ES.

Any pointers would be greatly appreciated.

magnusbaeck · January 25, 2018, 7:12am

The events which I want to index have @timestamp field on them which represents the source of truth. But the %{+YYYY.MM.dd} used in creating the index pattern uses the current timestamp of the instance logstash is running on.

No, %{+YYYY.MM.dd} uses the @timestamp value of each event.

shreyask · January 25, 2018, 8:21pm

Thanks for the clarification. @magnusbaeck I have a mutation filter which mutated @timestamp so I had to change the ordering of a couple of filters to make sure @timestamp is primed and it does create indices based on that. Really appreciate the swift reply.

Topic		Replies	Views
[Solved] [Logstash] Elasticsearch output plugin question Logstash	3	571	July 6, 2017
Logstash Output to Elasticsearch using todays date instead of @timestamp Logstash	6	3017	June 3, 2020
Indices names missing timestamp Logstash	4	605	December 19, 2019
How is -%{+YYYY.MM.dd} generated on Logstash output Logstash	4	8598	August 29, 2018
How does logstash chose which timestamped index to use? Elasticsearch	4	567	July 6, 2017

Question Regarding `index` in logstash elasticsearch output plugin

Related topics