Unable to create index with %{type} in logstash output

Neelam_Zanvar · May 23, 2023, 6:51am

Hi here is my logstash config file

input {
  beats {
    port => 5044
  }
}

output {
  elasticsearch {
    hosts => "http://IP:9200"
    index => "%{type}%{+YYYY.MM.dd}"
    user => "elastic"
    password => "pwd"
  }
}

This is not creating the index. getting %{type} not compatible. if i remove {type} and put a string in its place it is creating the index. I tried putting %{[fields.type]} this is also giving me error

 elasticsearch - Badly formatted index, after interpolation still contains placeholder: [%{[fields.type]}2023.05.23];

What is the correct syntax. I am using 8.7 version of elk stack

eMitch · May 24, 2023, 1:11pm

Hi @Neelam_Zanvar.

Assuming you have the type field available, then it should be something closer to: index => "%{[type]}%-{+YYYY.MM.dd}"

see examples from here: Writing to different indices: best practices

leandrojmp · May 24, 2023, 1:18pm

The syntax is correct as you can check in the documentation.

You need to make sure that you have the field you are referencing in your document.

Also, the correct way to reference nested fields in logstash is using [field][nested] and not field.nested, in this case you would need to use [fields][type], not [fields.type]