logstash metadata not passed to elasticsearch

Question

I am trying to follow the example https://www.digitalocean.com/community/tutorials/how-to-install-elasticsearch-logstash-and-kibana-elk-stack-on-centos-7

But the index name set by 30-elasticsearch-output.conf is not being resolved. In the example 30-elasticsearch-output.conf file:

index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"

In my case, the result elasticsearch index name is:

"%{[@metadata][beat]}-2016.09.07"

Only the date portion of the index name is set correctly. What is responsible for setting the metadata value? I must have missed something in following the example.

This is related to a question asked earlier: ELK not passing metadata from filebeat into logstash

Have you seen this page : https://www.elastic.co/guide/en/beats/filebeat/1.3/faq.html#metadata-missing? Apparently metadata is remove by the logstash outputs, so _maybe_ the metadata is already removed when it tries to retrieve the value for the index name — baudsp, Sep 08 '16 at 07:52

score 0 · Accepted Answer · answered Mar 15 '18 at 08:51

0

You can create index like this

 index => "%{[beat][name]}-%{+YYYY.MM.dd}"

This would work definitely.

answered Mar 15 '18 at 08:51

mohdasha

311
1
7

logstash metadata not passed to elasticsearch

1 Answers1