we have logstash and elastic on a k8s environment.
in our topology logstash receives data from multiple applications while part of the data is application name \ id. is there a way to add a dynamic variable to the index name or alias and still maintain ILM?
important to note we do not know all application names at logstash startup, and need to react based on arriving traffic
manipulating the "ilm_rollover_alias" or using "index" allows us to change index name but it brakes ILM
When you define an ILM policy you define which template gets used.
When you define a template you can define an index pattern that matches to any index based on that pattern.
So instead of defining your ILM policy in logstash you can create a template in Elasticsearch that is already inherited by an ILM policy.
Then when you write out to Elasticsearch write to an index that uses that template (index pattern matches) and then it should automatically be included in the ILM policy.
it actually makes a lot of sense.
while we seem to have made progress, we're still struggling in the implementation.
now the Logstash config looks like so:
elasticsearch {
index => "event-%{param1}-000001"
template_name => "event-tmpl"
so the indexes to look:
event-<app_name>-000001
in elastic the index template, "event-tmpl" has the following config:
now the problem is setting the rollover alias, seeing as the name is dynamic (it's located in the mapping) we can't seem to find the correct way to assign it.
please note we have several active log sources and need them routed to different indexes, each should have ILM based on the "events_ilm" policy.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.