stackoom
  简体   繁体   中英

Index Name Not Being Set in Filebeat to Elasticsearch - ELK .NET Docker ElasticHQ

 原文  2020-02-10 16:12:48       elasticsearch/ docker-compose/ filebeat

Question

I am experimenting with some json that has been formatted in accordance with Elasticsearch , so I have gone directly from Filebeat to Elasticsearch, as opposed to going through Logstash . This is using docker-compose :

version: '2.2'
services:
  elasticsearch:
    container_name: elasticsearch
    image: docker.elastic.co/elasticsearch/elasticsearch:7.5.2
    ports:
      - 9200:9200
      - 9300:9300
    environment:
      - discovery.type=single-node
      - cluster.name=docker-
      - bootstrap.memory_lock=true
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
    ulimits:
      memlock:
        soft: -1
        hard: -1
    networks:
      - esnet
  filebeat:
    container_name: filebeat
    build:
      context: .
      dockerfile: filebeat.Dockerfile
    volumes:
      - ./logs:/var/log
      - ./filebeat/filebeat.yml:/usr/share/filebeat/filebeat.yml
    networks:
      - esnet  
  elastichq:
    container_name: elastichq
    image: elastichq/elasticsearch-hq
    ports:
      - 8080:5000
    environment:
      - HQ_DEFAULT_URL=http://elasticsearch:9200
      - HQ_ENABLE_SSL=False
      - HQ_DEBUG=FALSE
    networks:
      - esnet  
networks:
  esnet:

However, when I open ElasticHQ the index name has been labeled as filebeat-7.5.2-2020.02.10-000001 with a date stamp. I have specified the index name as Sample in my filebeat.yml . Is there something I am missing, or is this behavior normal?

Here is my filebeat.yml

filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /var/log/*.json
  json.keys_under_root: true
  json.add_error_key: true 

#----------------------------- Elasticsearch output --------------------------------

output.elasticsearch:
  hosts: ["elasticsearch:9200"]
  index: "sample-%{+YYYY.MM.dd}"


setup.template.name: "sample"
setup.template.pattern: "sample-*"

It would be more practical to know something predefined so if I use Postman as opposed to ElasticHQ, I can start querying my data without having to look for the index name.

1 answers

solution1
 1 ACCPTED  2020-02-21 18:27:40

I thinkFilebeat ILM might be taking over instead of the configured index name.

Starting with version 7.0, Filebeat uses index lifecycle management by default when it connects to a cluster that supports lifecycle management. Filebeat loads the default policy automatically and applies it to any indices created by Filebeat.

And when ilm is enabled Filebeat Elasticsearch output index settings are ignored

The index setting is ignored when index lifecycle management is enabled. If you're sending events to a cluster that supports index lifecycle management, see Configure index lifecycle management to learn how to change the index name.

You might need to disable ILM or better yet configure your desired filename using ILM rollover_alias.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question docker-elk - how is it persisting elasticsearch index? Reindexing a index in elasticsearch - ELK Filebeat is not creating index in Elasticsearch Dynamic index in elasticsearch with filebeat Is it possible to maintain the index name from FileBeat to LogStash for Elasticsearch? Filebeat Index name Zipkin + Elasticsearch (ELK) not create index ERROR pipeline/output.go:100 Failed to connect to backoff(async(tcp://logstash:5044)) - ELK Filebeat .NET Core 3.1 Docker How to set up elasticsearch and filebeat Filebeat with ELK stack running in Kubernetes does not capture pod name in logs
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM