3

I am trying to have elasticsearch index based on field so I can get an index for each source (allowing for secure access to each index).

I tried something along the lines of 

output {
    stdout { codec => rubydebug }
    elasticsearch {
       index => [SERVER]"-%{+YYYY.MM.dd}"
    }
}

as well as 

output {
    stdout { codec => rubydebug }
    elasticsearch{
       index => "[SERVER]-%{+YYYY.MM.dd}"
    }
}

and neither work : first errors, second tries to create the index with [SERVER] in it then errors due to uppercase, this might not be supported as I can't find it anywhere in the docs, but I was wondering if anyone has gotten something like this functional for their own ELK stacks?

Improve this question

1 Answer 1

Reset to default
2

The right syntax for this is "%{SERVER}-%{+YYYY.MM.dd}"

According to the documentation :

[The index to write] can be dynamic using the %{foo} syntax.

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

how did i miss that... smh
i tried output { stdout { codec => rubydebug } elasticsearch{ index => "%{SERVER}-%{+YYYY.MM.dd}" } }
the above still didnt work, are you sure it can be mapped to fields?
Well it worked in my case... Could you give more information => What happened this time (errors, index created with the wrong name...)? And maybe your configuration?
that is the exact output configuration, in my filter i extract a field named SERVER using grok, it is simply sending the entire string %{SERVER} where it should be replacing the variable causing ES to reject it ( the field definitely exists i can see it in the output when i am using an index name that works)
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.