LOGSTASH_INDEX

charles.hepner · July 10, 2017, 9:31pm

The documentation for the Auth0 Logstash integration:

mentions setting LOGSTASH_INDEX. Can an example be provide in the documentation of how to set this? The docs are not clear; typically I would configure the index in the Logstash output plugin, not here in Auth0.

jmangelo · July 11, 2017, 3:04pm

If you only use one index then its name could just be hardcoded in the output configuration and this setting would be mostly irrelevant, however, if you want to redirect data to multiple indexes than you’ll use some field coming from the input data as a way to resolve the respective index name.

The LOGSTASH_INDEX is just a field, named index, that will be added to the payload sent to Logstash in every event; if you had multiple Auth0 accounts sending to the same infrastructure this could be used for disambiguation and could possibly be used directly for redirecting to the correct index. For example, in your setup configuration you could do:

index => "%{index}-%{+YYYY.MM.dd}"

charles.hepner · July 12, 2017, 1:32am

Thanks for the reply! I tried setting a few different various values for LOGSTASH_INDEX in the config for the extension. What I found is that whatever value I set was sent as a field with that name, set to a value of “auth0”.

For example, initially I was confused by the documentation so I entered: LOGSTASH_INDEX = auth0-%{+YYYY.MM.dd} in the Auth0 Extension config

In elasticsearch I then got a field named “auth0-%{+YYYY.MM.dd}” with a value of “auth0”.

I have currently settled on LOGSTASH_INDEX = source, which gives me a field “source” set to the value “auth0”.

charles.hepner · July 12, 2017, 1:32am

Thanks for the reply! I tried setting a few different various values for LOGSTASH_INDEX in the config for the extension. What I found is that whatever value I set was sent as a field with that name, set to a value of “auth0”.

For example, initially I was confused by the documentation so I entered: LOGSTASH_INDEX = auth0-%{+YYYY.MM.dd} in the Auth0 Extension config

In elasticsearch I then got a field named “auth0-%{+YYYY.MM.dd}” with a value of “auth0”.

I have currently settled on LOGSTASH_INDEX = source, which gives me a field “source” set to the value “auth0”.

jmangelo · July 12, 2017, 3:07am

Damn, I looked at the code before giving you the reply, but I misinterpreted it (aka I read the code as if it was doing what made sense to me at the time instead of what it actually does).

In conclusion, what it’s doing which is what you describe does not make sense to me. I’ll need to follow-up with this internally; sorry for misleading you.