Using the %{foo} syntax in ES output - template parameter

kariboe · February 14, 2017, 1:55pm

Hello all,

Using logstash 5.2 .. can I use the %{foo} syntax in the ES output template_path variable?

output {
    elasticsearch {
        hosts => ["xxxxxx:9200","xxxxxxxx:9200"]
        index => "%{application}-%{+YYYY.MM.dd}"
        template_name => "%{application}"
        template => "/etc/logstash/elastic.d/%{application}_template.json"
        template_overwrite => true
    }
}

It causes error when restart logstash. File does not exist or cannot be opened.

Kind Regards,

Stefaan

magnusbaeck · February 15, 2017, 6:49am

If it complains about not being able to open /etc/logstash/elastic.d/%{application}_template.json then it's indeed not supported.

erikanderson753 · February 23, 2017, 5:38pm

Seeing the same thing on my end, it seems like a weird omission to not allow interpolation for those settings

github.com

logstash-plugins/logstash-output-elasticsearch/blob/master/lib/logstash/outputs/elasticsearch/common_configs.rb

require 'forwardable' # Needed for logstash core SafeURI. We need to patch this in core: https://github.com/elastic/logstash/pull/5978

module LogStash; module Outputs; class ElasticSearch
  module CommonConfigs
    def self.included(mod)
      # The index to write events to. This can be dynamic using the `%{foo}` syntax.
      # The default value will partition your indices by day so you can more easily
      # delete old data or only search specific date ranges.
      # Indexes may not contain uppercase characters.
      # For weekly indexes ISO 8601 format is recommended, eg. logstash-%{+xxxx.ww}.
      # LS uses Joda to format the index pattern from event timestamp.
      # Joda formats are defined http://www.joda.org/joda-time/apidocs/org/joda/time/format/DateTimeFormat.html[here].
      mod.config :index, :validate => :string, :default => "logstash-%{+YYYY.MM.dd}"

      mod.config :document_type, 
        :validate => :string, 
        :deprecated => "Document types are being deprecated in Elasticsearch 6.0, and removed entirely in 7.0. You should avoid this feature"

      # From Logstash 1.3 onwards, a template is applied to Elasticsearch during
      # Logstash's startup if one with the name `template_name` does not already exist.

This file has been truncated. show original

Only some fields have this note:
This can be dynamic using the `%{foo}` syntax.

magnusbaeck · February 24, 2017, 7:25am

Seeing the same thing on my end, it seems like a weird omission to not allow interpolation for those settings

Not really. Not all output parameters are suitable to be event-dependent, or at least require great care when implementing.

erikanderson753 · February 24, 2017, 3:56pm

Sorry, that was unfair of me to categorize it like that. I think that it would be a very useful thing to have based on comments here and on stack overflow. http://stackoverflow.com/questions/26724871/logstash-dynamically-assign-template

In our case it would be very valuable to be able to dynamically set the template path especially in order to consolidate down to one elasticsearch output

theuntergeek · February 27, 2017, 8:53pm

You cannot dynamically assign a template, because templates are uploaded only once, at initialization. Without the flow of traffic, deterministic variable completion does not happen. Since there is no traffic flow during initialization, there is nothing there which can "fill in the blank" for %{application}.

Index templates are only used when a new index is created, and so it is that templates are not uploaded every time a document reached the Elasticsearch output block in Logstash (can you imagine how much slower it would be if Logstash had to do that?). If you intend to have multiple templates, they need to be preexistent, and uploaded to Elasticsearch before any data gets sent there. You can do this with a script of your own making using curl and Elasticsearch API calls. This also permits you to update templates without having to restart Logstash. You could run the script any time before index rollover, and when the new indices get created, they'll have the new template settings.

Logstash can send data to a dynamically configured index name, just as you have above. The template must be pre-existent in Elasticsearch before that is attempted, or Elasticsearch will create a best-guess mapping, rather than what you wanted to send in a template. Honestly, templates can and ought to be completely independent of Logstash. We only added this functionality for an improved out-of-the-box experience for brand new users. The default template is less than ideal for advanced use cases, and Logstash is not a good tool for template management if you have more than one index template.

If you manage the templates outside of Logstash, then this:

kariboe:

output {
    elasticsearch {
        hosts => ["xxxxxx:9200","xxxxxxxx:9200"]
        index => "%{application}-%{+YYYY.MM.dd}"
        template_name => "%{application}"
        template => "/etc/logstash/elastic.d/%{application}_template.json"
        template_overwrite => true
    }
}

can be replaced by this:

output {
   elasticsearch {
        hosts => ["xxxxxx:9200","xxxxxxxx:9200"]
        index => "%{application}-%{+YYYY.MM.dd}"
    }
}

And you get to keep a single elasticsearch output block in Logstash.

system · March 27, 2017, 8:53pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.