How to use pipeline field vars to construct opensearch sink index param

searchspark2310 · July 25, 2022, 8:31pm

With logstash i would use some filters to construct the index name based on certain other params. Then I would use that newly constructed field in the output config for the index param.

For example, in Logstash:

filter {
    mutate {
        add_field => { "index_lowercase" => "index-%{team}-%{role}" }

    }

    mutate {
        lowercase => [ "index_lowercase" ]
    }
}

output {
    opensearch {
            index => "%{index_lowercase}"
    }
}

When I try to do the same in Dataprepper I get:

Caused by: java.lang.IllegalArgumentException: Index time pattern contains time patterns that are less than one hour: [m, s, S, A, n, N]

The config I’m trying in Dataprepper is:

processor:
    - add_entries:
        entries:
        - key: "index_lowercase"
          value: "index-%{team}-%{role}"

    - lowercase_string:
        with_keys:
          - "index_lowercase"
  
  sink:
      - opensearch:
          hosts: [https://my_opensource_host:9200]
          username: "someusername"
          password: "some_password_here"
          insecure: true
          index_type: management_disabled
          index: "%{index_lowercase}"
          dlq_file: "/usr/share/data-prepper/index_failures.dlq"

I see in the documentation for this sink type that it can support date/time macro formatting but I would like to take it a step further and use field values to make the index name dynamic. Is this supported?

ddpowers · July 28, 2022, 9:04pm

Hi @searchspark2310,

Currently, we do not have a feature to customize index names by key-value. Is that what you are asking?

Thanks,
–David

dlv · August 8, 2022, 3:27pm

@searchspark2310 , There is an open feature request to add this type of support. At the moment, we don’t have it scheduled for any given release.

github.com/opensearch-project/data-prepper

Dynamic Index Name in OpenSearch sink

opened 05:32PM - 01 Jun 22 UTC

dlvenable

enhancement

**Is your feature request related to a problem? Please describe.** Some use-c…ases require placing different documents in different dynamic indices. Pipeline authors want to configure a dynamic index name that is derived from a property (or multiple properties) in a Data Prepper event. **Describe the solution you'd like** Support dynamic index names using a format string. This format string can use `${}` to signal string interpolation and use JSON Pointer for getting fields from events. For example: `metadata-${metadataType}`. ``` pipeline: ... sink: opensearch: hosts: ["https://opensearch-host"] index_type: custom index: "metadata-${metadataType}" ``` **Describe alternatives you've considered (Optional)** Using conditional routing could allow for supporting a predefined number of indices. However, this approach has a very practical bound. Using this format string allows for unlimited (from Data Prepper's perspective) indices. **Additional context** N/A

Offir · November 2, 2023, 7:54am

Thanks for this information, i have tried to use this pattern unsuccessfully.
Im using SQS to get events from S3 and ingest to domain.
I tried to use dynamic index by add suffix such this in the example - also tried ${data}, ${time}, and more option (some of them from the SQS event JSON) and nothing works.
The Error is - “The key ___ could not be found in the Event when formatting”.
any idea what is the problem and can i get the Event fields in order to use them?

Topic		Replies	Views
Data Prepper Dynamic Index using keys from logs Data Prepper configure	3	541	May 11, 2023
TimeStamp based index creation scope in Opensearch Data streams OpenSearch	1	38	April 18, 2024
How can i set custom index in opensearch serverless pipeline? Data Prepper	1	270	February 16, 2024
Fields mixed in index pattern creation Index Management configure	3	405	April 18, 2022
Dataprepper read line with json and text Data Prepper	3	556	October 10, 2023

How to use pipeline field vars to construct opensearch sink index param

Related Topics