I am using the ELK stack for analyzing logs. So as per default
configuration a new index by "logsatash-YYYY-MM-DD" is created by ES.
So if I have configured logstash to read like this:
/var/log/rsyslog/**/2014-12-0[1-7]/auditd.log
So it is reading old logs and the index name created will be
"logstash-2015-03-20", so this index will have documents (logs) of previous
dates.
My problem occurs when I have to delete indexes. If I have to keep only
last one weeks data and purge the older indices. When I will delete index
names except the last 7 days, I have no track which days logs are kept in
which index name. Eg: 2014-12-07 date's logs may be kept in any of index
named logstash-2015-03-19 or logstash-2015-03-20.
You should really be setting the event timestamp to the one from the log
file.
If you ask over on Redirecting to Google Groups you will
get some guidance on that.
I am using the ELK stack for analyzing logs. So as per default
configuration a new index by "logsatash-YYYY-MM-DD" is created by ES.
So if I have configured logstash to read like this:
/var/log/rsyslog/**/2014-12-0[1-7]/auditd.log
So it is reading old logs and the index name created will be
"logstash-2015-03-20", so this index will have documents (logs) of previous
dates.
My problem occurs when I have to delete indexes. If I have to keep only
last one weeks data and purge the older indices. When I will delete index
names except the last 7 days, I have no track which days logs are kept
in which index name. Eg: 2014-12-07 date's logs may be kept in any of
index named logstash-2015-03-19 or logstash-2015-03-20.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.