Description
Operations use beat to send data to logstash and then to Elasticsearch. They add the following filters
in logstash pipeline:
filter {
mutate {
add_field => { "[beat][beat]" => "%{[@metadata][beat]}"}
add_field => { "[beat][version]" => "%{[@metadata][version]}"}
}
}
And here is the logstash output plugin :
output {
stdout { codec => rubydebug }
elasticsearch {
hosts => ["localhost:9200"]
id => "beats_to_elk_test"
codec => "json"
manage_template => false
index => "%{[beat][beat]}-%{[beat][version]}-%{+YYYY.MM.dd}"
}
}
Index didn't got created because the beat.version is an array now "beat.version => 5.6.4, %{[@metadata][version]}", There is WARN message in logstash log:
[2018-04-16T17:03:25,774][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"filebeat-5.6.4,%{[@metadata][version]}-2018.04.17", :_type=>"log", :_routing=>nil}, 2018-04-17T00:03:20.605Z local 111.111.111.111 - - [25/Sep/2014:12:00:00 +0000] "GET /scripts/netcat-webserver HTTP/1.1" 200 182 "-" "Mozilla/5.0 (compatible; EasouSpider; +http://www.easou.com/search/spider.html)"], :response=>{"index"=>{"_index"=>"filebeat-5.6.4,%{[@metadata][version]}-2018.04.17", "_type"=>"log", "_id"=>nil, "status"=>400, "error"=>{"type"=>"invalid_index_name_exception", "reason"=>"Invalid index name [filebeat-5.6.4,%{[@metadata][version]}-2018.04.17], must not contain the following characters [ , ", *, \, <, |, ,, >, /, ?]", "index_uuid"=>"na", "index"=>"filebeat-5.6.4,%{[@metadata][version]}-2018.04.17"}}}}
Since it is a WARN message, customer probably miss that one and don't know why index not created in Elasticsearch.
Could we make this as ERROR message instead?
- Version: logstash 5.6.4