I found out today that elasticsearch 2.x does not allow field names to have the period character in them. This is making my life interesting as I use elasticsearch with rsyslog end to end (no logstash), and a lot of our field names have "." as a delimiter in them.
In a perfect world, I'd like an "elasticsearch" property formatter that could look for and replace "." in field names with "_", that would also work with the all-json property, something like: property(name="$!all-json" format="elasticsearch") Or, if this is to ES specific for rsyslog core, perhaps we could add this functionality to the omelasticsearch output itself (I'll look over the code today). I'd like to not have to introduce logstash to my environment just to regex a character in field names. I'm open to other ideas as well, just wanted to start the conversation. Cheers, BRian _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
