Change index of saved searches


#1

Hi,
I'm using filebeat to send logs from Filezilla server to ELK server. It's working, and the default index is filebeat-6.3.0-YYYY.mm.dd

I want to change that because more logs with filebeat will be sent and i don't want to mix differents logs application in one index.

So I have used redindex API to copy all indices in new indices ( filebeat-6.3.0-YYYY.mm.dd to filezilla-logs-YYYY.mm.dd)

When I change the source of a saved searched to have the informations from the new indices, I have a error message :

Could not locate that index-pattern (id: filezilla-logs-*),

But this pattern exisits, I have created this once I have renamed the indices.

I don't undestand what's wrong.

I have also created a new search from the new index and I saved it. When I read it, the index is a serial number : 2a61ec40-e2a2-11e8-a38e-69b7fe5aaa9d

Why it's not the same name as the index pattern ?

Fo winlogbeat or heartbeat, it's not a serial number.

So how I can have the saved searches with the new indices pattern without to recreated them from scratch ?

Thank you for your help.


#2

I have understood the problem.

When I have created the index pattern, I have not specified a custom pattern ID.

So I have deleted and created again my index patter with a custom pattern, it's OK, no error with the saved search.

The strange thing, I don't understand why my saved searches are not working when I choose the new index pattern.


(Joe Fleming) #3

They're all bound to the index pattern by the pattern's uniq (internal) id, not by the name of the index pattern. You'll have to either recreate your saved searches, or edit them in Management > Saved Objects to point to the new index pattern's id (which you can also find in that same interface).


(system) #4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.