Get a DemoStart Free TrialSign In
backBack to Blog

Getting Started, How To Guides, Logstash

1 min read

Last updated:

Contents

Learn how to specify different index names in Elasticsearch Logit uses a predefined way to set the index names so by default all new Logit Stacks that send data via Logstash have an index name of logstash-*.

Can I change the index name to something different?

Absolutely, you can change the name of the index, or send your logs to multiple indexes by adding conditions to your Logstash filters.

Tip: To edit your Logstash filters for any Stack choose View Stack Settings > Logstash Pipelines from your Dashboard.

If your sending your data via an Elastic beat such as Filebeat your condition should be:

mutate
{
  replace => { "[@metadata][beat]" => “YOURINDEXNAME” }
}

Alternatively inside your condition you can specify the index name using add_field.

if[FIELD] == "CONDITION" {  
   mutate 
   {      
      add_field => { "[@metadata][beat]" => "YOURINDEXNAME" }
   }
}

Where field is a field name within your logs. So if you wanted to have your IIS logs in their own index you could add:

if[type] == "iis" {  
   mutate 
   {      
      add_field => { "[@metadata][beat]" => "iis" }
   }
}

How can we re-index the data after an index name change?

Depending on the volume the simplest way is to resend the data, you can also use the re-index Elasticsearch API. If you no longer require the historic data, you can simply delete the index.

Are there any index name limitations with Elasticsearch?

There are several limitations to what you can name your index. The complete list of limitations are:

  • Lowercase only
  • Cannot include , /, *, ?, “, <, >, |, (space character), ,, #
  • Indices prior to 7.0 could contain a colon (:), but that’s been deprecated and won’t be supported in 7.0+
  • Cannot start with -, _, +
  • Cannot be . or ..
  • Cannot be longer than 255 bytes (note it is bytes, so multi-byte characters will count towards the 255 limit faster)

If you enjoyed this article on how can I change the index name of Logstash -* then why not check out our post on how can I make sure my Elastalert rule is configured correctly? as well as our article on how can I export data from a Kibana search?

Get the latest elastic Stack & logging resources when you subscribe

backBack to Blog