I'm trying to send my logs to multiple indices based on a field value.https://www.elastic.co/guide/en/beats/filebeat/5.0/elasticsearch-output.html#_indices
I want to do something like this :
indices:
- index: "functional-%{+yyyy.MM.dd}"
when.equals:
document_type: functional-log
- index: "technichal-%{+yyyy.MM.dd}"
when.equals:
document_type: technichal-log
- index: "other-%{+yyyy.MM.dd}"
when.equals:
document_type: other-log
The documentation doesn't explain the keyword I can use after the "when" field.
How can I do this indices mapping ? Can I find more information somewhere ?
andrewkroh
December 20, 2016, 3:11pm
2
The conditions available should be the same as what are using with the processors. See https://www.elastic.co/guide/en/beats/filebeat/5.1/configuration-processors.html#conditions . Please open a new issue in the beats repo so that this gets added to the indices config documentation.
The when condition should be at the same indentation level as index so move yours to the left a bit.
Thanks, this works with this configuration :
indices:
- index: "functional-%{+yyyy.MM.dd}"
when.equals:
logger_name: "functional"
- index: "technical-%{+yyyy.MM.dd}"
when.equals:
logger_name: "technical"
- index: "other-%{+yyyy.MM.dd}"
when.equals:
logger_name: "other"
I open a issue here : https://github.com/elastic/beats/issues/3227
steffens
December 21, 2016, 12:57pm
4
why exactly do you need indices? Why didn't you configure:
index: '%{[logger_name]}-%{+yyyy.MM.dd}'
?
I updated your ticket, so we will properly document index setting capabilities.
1 Like
Because I didn't know that we can do this "%{[logger_name]}" in an index name.
system
January 18, 2017, 1:13pm
6
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.