Logstash sprintf formatting for elasticsearch outp

2020-02-07 10:17发布

站内问答 / 后端开发
1082 1 5

I am having trouble using sprintf to reference the event fields in the elasticsearch output plugin and I'm not sure why. Below is the event received from Filebeat and sent to Elasticsearch after filtering is complete:

{
          "beat" => {
        "hostname" => "ca86fed16953",
            "name" => "ca86fed16953",
         "version" => "6.5.1"
    },
    "@timestamp" => 2018-12-02T05:13:21.879Z,
          "host" => {
        "name" => "ca86fed16953"
    },
          "tags" => [
        [0] "beats_input_codec_plain_applied",
        [1] "_grokparsefailure"
    ],
        "fields" => {
        "env" => "DEV"
    },
        "source" => "/usr/share/filebeat/dockerlogs/logstash_DEV.log",
      "@version" => "1",
    "prospector" => {
        "type" => "log"
    },
        "bgp_id" => "42313900",
       "message" => "{<some message here>}",
        "offset" => 1440990627,
         "input" => {
        "type" => "log"
    },
        "docker" => {
        "container" => {
            "id" => "logstash_DEV.log"
        }
    }
}

I am trying to index the files this based on filebeat's environment. Here is my config file:

input {
  http { }
  beats {
    port => 5044
  }
}

filter {
  grok {
    patterns_dir => ["/usr/share/logstash/pipeline/patterns"]
    break_on_match => false
    match => { "message" => ["%{RUBY_LOGGER}"]
             }
  }
}

output {
  elasticsearch {
    hosts => ["elasticsearch:9200"]
    index => "%{[fields][env]}-%{+yyyy.MM.dd}"
  }
  stdout { codec => rubydebug }
}

I would think the referenced event fields would have already been populated by the time it reaches the elasticsearch output plugin. However, on the kibana end, it doesnt not register the formatted index. Instead, its since like this:

enter image description here

What have I done wrong?

1条回答
在下西门庆
2楼-- · 2020-02-07 10:43

In Elasticsearch Output plugin docs:
https://www.elastic.co/guide/en/logstash/current/plugins-outputs-elasticsearch.html#plugins-outputs-elasticsearch-manage_template

Should you require support for other index names, or would like to change the mappings in the template in general, a custom template can be specified by setting template to the path of a template file.

Setting manage_template to false disables this feature. If you require more control over template creation, (e.g. creating indices dynamically based on field names) you should set manage_template to false and use the REST API to apply your templates manually.

By default, elasticsearch requires you to specify a custom template if using different index names other than logstash-%{+YYYY.MM.dd}. To disable, we need to include the manage_template => false key.

So with this new set of info, the working config should be:

output {
  elasticsearch {
    hosts => ["elasticsearch:9200"]
    index => "%{[fields][env]}-%{+yyyy.MM.dd}"
    manage_template => false
  }
  stdout { codec => rubydebug }
}
查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(5)