It very closely matches my data. The difference is I need this to go into its own index. My data is JSON formatted and only includes a few simple fields.
Since my data is already json formatted, I was planning on skipping logstash. And that blog seemed like a great match.
I am having difficulties tracking the error. When I include the lines to create/use the new index in the filebeat.yml file, the service fails to start silently. If I remove those lines, the log file has the expected "Exiting: setup.template.name and setup.template.pattern have to be set if index name is modified." error.
I have also read the guide at https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-template.html . I was hoping to just use the filebeat template. According to that blog, I will see my custom fields appear. I have tried several variations of the settings below. This is the version which explains what I am trying to do. (Use the existing filebeat template, but apply to index pattern octobeat-*)
Am I overthinking this? Is there a simple way to get a json message into ElasticSearch under an index named octobeat-* ? Thank you very much!
filebeat.inputs:
# Each - is an input. Most options can be set at the input level, so
# you can use different inputs for various configurations.
# Below are the input specific configurations.
- type: log
# Change to true to enable this input configuration.
enabled: true
# Paths that should be crawled and fetched. Glob based paths.
paths:
#- /var/log/*.log
#- c:\programdata\elasticsearch\logs\*
- e:\DevOpsLogs\octopus_deployLog.log*
filebeat.config.modules:
# Glob pattern for configuration loading
path: ${path.config}/modules.d/*.yml
# Set to true to enable config reloading
reload.enabled: false
setup.template.settings:
index.number_of_shards: 3
#index.codec: best_compression
#_source.enabled: false
setup.template.name: "octobeat"
setup.template.pattern: "octobeat-*"
setup.template.path: "C:\Program Files\Filebeat_Octopus\fields.yml"
setup.kibana:
host: "myelkserver:5601"
output.elasticsearch:
# Array of hosts to connect to.
hosts: ["myelkserver:9200"]
index: "octobeat-%{[beat.version]}-%{+yyyy.MM.dd}"
JSON message = {"Timestamp":"2018-11-09T13:17:44.8896393-05:00","OctopusProjectName":"The Octopus Project Name","OctopusReleaseNumber":"The Octopus Release Number As String","OctopusEnvironmentName":"The Octopus Environment Name"}
Not sure if this is helpful, but doing a similar task via powershell was trivial. I switched to filebeat because it's nice to have those log files in case something breaks and I need to replay everything to build up the indexes again. Not criticizing filebeat here, I understand there are a LOT more features included such as backpressure, just trying to give an example of what I am trying to replicate.
The index name to write events to. The default is "filebeat-%{[beat.version]}-%{+yyyy.MM.dd}" (for example, "filebeat-6.4.3-2018-11-06" ). If you change this setting, you also need to configure the setup.template.name and setup.template.pattern options (see Load the Elasticsearch index template). If you are using the pre-built Kibana dashboards, you also need to set the setup.dashboards.index option (see Load the Kibana dashboards).
You can set the index dynamically by using a format string to access any event field. For example, this configuration uses a custom field, fields.log_type , to set the index:
The template pattern to apply to the default index settings. The default pattern is filebeat-* . The Filebeat version is always included in the pattern, so the final pattern is filebeat-%{[beat.version]}-* . The wildcard character -* is used to match all daily indices.
I think I may not be adding setup.template.name and pattern to the correct part of the YML. I haven't found anything from the filebeat.reference.yml which helps with this.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
