instead of having Winlogbeat create daily indices We can create separate index for logs from different client(Different machine) to one elasticsearch server
I guess you are looking for output.elasticsearch.index or output.elasticsearch.indices settings. The docs show how this can be done.
yah I think so...I am sending logs to logstash using winlogbeat and then to elasticsearch
Where i want to change this settings?
in logstash config file?
These are setting in the elasticsearch output in winlogbeat. If you send to logstash, then you can not use those settings. You will have to do filtering/routin in logstash. Check out index setting in logstash elasticsearch output
But There is no these kind of settings in logstash index?
What can i do?
See index setting. You can reuse any field available in your event or in @metadata (fields in @metadata will not be send to Elasticsearch).
What I cannot get it? could you explain little bit?
In Logstash you can configure the index to be:
output {
elasticsearch {
...
index => "%{[@metadata][index]}-%{+yyyy.MM.dd}"
}
}
In this example the @metadata.index field will be used as base name. Using conditionals in filter, you can set this field to whatever you need.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.