Unable to create index with %{type} in logstash output

Neelam_Zanvar · May 23, 2023, 6:51am

Hi here is my logstash config file

input {
  beats {
    port => 5044
  }
}

output {
  elasticsearch {
    hosts => "http://IP:9200"
    index => "%{type}%{+YYYY.MM.dd}"
    user => "elastic"
    password => "pwd"
  }
}

This is not creating the index. getting %{type} not compatible. if i remove {type} and put a string in its place it is creating the index. I tried putting %{[fields.type]} this is also giving me error

 elasticsearch - Badly formatted index, after interpolation still contains placeholder: [%{[fields.type]}2023.05.23];

What is the correct syntax. I am using 8.7 version of elk stack

eMitch · May 24, 2023, 1:11pm

Hi @Neelam_Zanvar.

Assuming you have the type field available, then it should be something closer to: index => "%{[type]}%-{+YYYY.MM.dd}"

see examples from here: Writing to different indices: best practices

leandrojmp · May 24, 2023, 1:18pm

The syntax is correct as you can check in the documentation.

You need to make sure that you have the field you are referencing in your document.

Also, the correct way to reference nested fields in logstash is using [field][nested] and not field.nested, in this case you would need to use [fields][type], not [fields.type]

system · June 21, 2023, 3:18pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Can't create indices Logstash	7	11741	December 2, 2020
Unable to create elasticsearch index from logstash.conf file Elasticsearch	7	2242	May 1, 2020
Unable to create an index in elastic search through filebeat/ logstash in 5.2 version Elasticsearch	1	405	September 26, 2018
Logstash is not creating index to Elasticsearch version - 7.3.1 Logstash	5	329	October 17, 2019
Beat not creating index the right way after change output from elasticsearch to logstash Logstash	1	333	October 23, 2020

Unable to create index with %{type} in logstash output

Related topics