Logstash indices not reflecting in Kibana
Question
I have created the following custom index under output node in logstash.conf ...its been more than 1 hour, still blend_test doesn't reflect in the kibana indices server (elk_server_ip:9200/_cat/indices)
elasticsearch {
hosts => "elk_server_ip:9200"
manage_template => false
index => "blend_test*"
}
Please suggest if am doing something wrong....FYI, I have also restarted filebeat and logstash as well
filebeat.yml
filebeat.inputs:
- type: log
enabled: true
paths:
- /home/mahesh/Documents/refactor/nomi/unity/media/*.log
output.logstash:
enabled: true
hosts: ["localhost:5044"]
logstash.conf
input {
beats {
port => 5044
ssl => false
}
}
filter {
grok {
match => { "message" => "%{TIMESTAMP_ISO8601:timestamp}] %{LOGLEVEL:loglevel}\|%{GREEDYDATA:module}\|%{GREEDYDATA:content}" }
}
date {
locale => "en"
match => [ "timestamp", "YYYY-MM-dd HH:mm:ss"]
target => "@timestamp"
timezone => "America/New_York"
}
}
output {
elasticsearch {
hosts => "elk_server_ip:9200"
manage_template => false
index => "blend_test*"
}
stdout { codec => rubydebug { metadata => true } }
}
1 answers
solution1
0 2020-07-07 14:20:48
AFAIK you can't use wildcards in "index" setting from output plugin for elasticsearch:
index
Value type is string
Default value is "logstash-%{+yyyy.MM.dd}"
The index to write events to. This can be dynamic using the %{foo} syntax. The default value will partition your indices by day so you can more easily delete old data or only search specific date ranges. Indexes may not contain uppercase characters. For weekly indexes ISO 8601 format is recommended, eg. logstash-%{+xxxx.ww}. LS uses Joda to format the index pattern from event timestamp. Joda formats are defined here.
If you want something "custom" you can use some fields: %{foo} syntax
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.