New Index

47 views
Skip to first unread message

Brenno Garcia

unread,
May 4, 2026, 9:06:07 AM (6 days ago) May 4
to Wazuh | Mailing List
Hello,

I need to create a new index to separate these alert groups: browser_history, browser_error

for example wazuh-browser_history-index-yyyy-mm-dd

Md. Nazmur Sakib

unread,
May 4, 2026, 9:46:25 AM (6 days ago) May 4
to Wazuh | Mailing List

Hi Brenno,

I believe you are trying to create custom index name based on the alert rule.groups name.


For this, you need to make changes in the filebeat ingest pipeline.

Replaced in /usr/share/filebeat/module/wazuh/alerts/ingest/pipeline.json this:

    {

      "date_index_name": {

        "field": "timestamp",

        "date_rounding": "d",

        "index_name_prefix": "{{fields.index_prefix}}",

        "index_name_format": "yyyy.MM.dd",

        "ignore_failure": false

      }

    },

With this



   {

      "date_index_name": {

        "if": "ctx.rule?.groups == 'browser_history'",

        "field": "timestamp",

        "date_rounding": "d",

        "index_name_prefix": "{{fields.index_prefix}}browser-history-",

        "index_name_format": "yyyy.MM.dd",

        "ignore_failure": true

      }

    },

    {

      "date_index_name": {

        "if": "ctx.rule?.groups == 'browser_error'",

        "field": "timestamp",

        "date_rounding": "d",

        "index_name_prefix": "{{fields.index_prefix}}browser-error-",

        "index_name_format": "yyyy.MM.dd",

        "ignore_failure": true

      }

    },

    {

      "date_index_name": {

        "if": "ctx.rule?.groups != 'browser_history' && ctx.rule?.groups != 'browser_error'",

        "field": "timestamp",

        "date_rounding": "d",

        "index_name_prefix": "{{fields.index_prefix}}",

        "index_name_format": "yyyy.MM.dd",

        "ignore_failure": false

      }

    },

Load the pipeline.
filebeat setup --pipelines
systemctl restart filebeat

This will create an index for these rule groups. For browser_history, it will be wazuh-alerts-4.x-browser-history-yyyy-mm-dd

You can check the indexes from Indexer Management -> Dev Tools:

GET /_cat/indices



Let me know if this works for you.

Brenno Garcia

unread,
May 4, 2026, 10:52:33 AM (6 days ago) May 4
to Wazuh | Mailing List
Hello,
Okay, but I intend to connect my Grafana to the wazuh-alerts-4.x* index, but without including the browser_history alerts.

I still want to keep the dates for each index.

Is it also possible to redirect the old alerts to this new index?

Brenno Garcia

unread,
May 4, 2026, 12:13:35 PM (6 days ago) May 4
to Wazuh | Mailing List
Hello,
i noticed i can use on grafana the pattern wazuh-alerts-4.x-2* and it will segregate correctly

But the new pipeline didn't work for me:
bash-5.2# vim /usr/share/filebeat/module/wazuh/alerts/ingest/pipeline.json
bash-5.2# grep -i date_index -A 10 -B 1 /usr/share/filebeat/module/wazuh/alerts/ingest/pipeline.json
    {
      "date_index_name": {
        "if": "ctx.rule?.groups == 'browser_history' || ctx.rule?.groups == 'browser_extension'",

        "field": "timestamp",
        "date_rounding": "d",
        "index_name_prefix": "{{fields.index_prefix}}browser-history-",
        "index_name_format": "yyyy.MM.dd",
        "ignore_failure": true
      }
    },
    {
      "date_index_name": {
        "if": "ctx.rule?.groups == 'browser_error'",
        "field": "timestamp",
        "date_rounding": "d",
        "index_name_prefix": "{{fields.index_prefix}}browser-error-",
        "index_name_format": "yyyy.MM.dd",
        "ignore_failure": true
      }
    },
    {
      "date_index_name": {
        "if": "ctx.rule?.groups != 'browser_history' && ctx.rule?.groups != 'browser_error'",
        "field": "timestamp",
        "date_rounding": "d",
        "index_name_prefix": "{{fields.index_prefix}}",
        "index_name_format": "yyyy.MM.dd",
        "ignore_failure": false
      }
    },
    { "remove": { "field": "message", "ignore_missing": true, "ignore_failure": true } },
    { "remove": { "field": "ecs", "ignore_missing": true, "ignore_failure": true } },

bash-5.2# filebeat setup --pipelines
Loaded Ingest pipelines
bash-5.2# ^C
bash-5.2#
exit
[user@wazuh~]# docker restart 87

No errors in
grep -iE "Warn|error"
But the new index wasn't created
Screenshot_15.png 
Em segunda-feira, 4 de maio de 2026 às 10:46:25 UTC-3, Md. Nazmur Sakib escreveu:

Md. Nazmur Sakib

unread,
May 5, 2026, 2:35:33 AM (5 days ago) May 5
to Wazuh | Mailing List
It seems like the Alert rule.groups names are different from what we initially configured. We were using browser_history instead of Browser History.
 Also, alerts rule.groups are a field type of array. Considering all these, I have updated the configuration. Please replace the previous configuration with this one.




   {
  "date_index_name": {
    "if": "ctx.rule?.groups != null && (ctx.rule.groups.contains('Browser History') || ctx.rule.groups.contains('Browser Extension'))",

    "field": "timestamp",
    "date_rounding": "d",
    "index_name_prefix": "{{fields.index_prefix}}browser-history-",
    "index_name_format": "yyyy.MM.dd",
    "ignore_failure": true
  }
},
{
  "date_index_name": {
    "if": "ctx.rule?.groups != null && ctx.rule.groups.contains('Browser Error')",

    "field": "timestamp",
    "date_rounding": "d",
    "index_name_prefix": "{{fields.index_prefix}}browser-error-",
    "index_name_format": "yyyy.MM.dd",
    "ignore_failure": true
  }
},
{
  "date_index_name": {
    "if": "ctx.rule?.groups == null || (!ctx.rule.groups.contains('Browser History') && !ctx.rule.groups.contains('Browser Extension') && !ctx.rule.groups.contains('Browser Error'))",

    "field": "timestamp",
    "date_rounding": "d",
    "index_name_prefix": "{{fields.index_prefix}}",
    "index_name_format": "yyyy.MM.dd",
    "ignore_failure": false
  }
},


Now, load the pipeline.

filebeat setup --pipelines
systemctl restart filebeat


This is a test result from my end.

Screenshot 2026-05-05 at 12.29.25 PM.png



Let me know if this works for you.

Reply all
Reply to author
Forward
0 new messages