we're using Elasticsearch for storing our application logs using daily indexes, which we delete after two weeks. Now we would like to keep all logs with the loglevel "error" for another 2 months.
We thought about using a separate index for all error messages and apply the different deletion rules there.
However we don't want to add the logic regarding in which index to write ("normal" or the ones for the errors) in each of our app servers logstash configs.
Is there a way to stream / continuously copy specific documents (the ones with level "error") from one index to another?
It seems like the ReIndex API could be used for that.
Is the right way to schedule a job which runs every 5 minutes or so with the ReIndex command?
Does ReIndex check which documents already exist and skips those?
If we run the script every 5 mins, we probably can also add a "query" field to limit the documents compared to the last 5 mins.
Setting version_type to external causes Elasticsearch to preserve the version from the source, create any documents that are missing, and update any documents that have an older version in the destination than they do in the source.
I understand that this means, that documents which already exist in the target index will be updated if there is a newer version available, but not inserted twice.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
