Hello,
The live stream feature seems really nice! But I'm a little bit confused about this functionality: It looks like the same as the "Discover" view...isn't it?
We are already using the Elastic stack as a "big" farm to parse, store, and analyse the logs (10TB/month). Beat is not an option because it doesn't work on closed systems like appliances, network devices... so I really hope you will not focus only on beat 
The data used for Discovery and the Log UI is the same. By default the Log UI looks for the indices of Filebeat but you can configure it to any index you want, so it should also work with your data. What does your index pattern look like?
Thanks for the answer, we use multiple index patterns (around 20 patterns using 20 different templates in ES).
We parse system/event logs from linux/windows/switch/router.
And also antispam appliances, radius appliances...
In the doc you highlighted me in an other post it does not seems to be possible to use multiple "log templates/patterns".
But I may not understand correctly and maybe it is possible to change the "default" value in "xpack.infra.sources.default.someparameter" to use multiple templates.
e.g.
xpack.infra.sources.linuxevent.logAlias: 'logstash-event-linux-*'
xpack.infra.sources.linuxevent.fields.timestamp: 'mytimestampfield'
xpack.infra.sources.linuxevent.fields.message: 'field1', 'field2', 'field3', 'field4', 'field5'
xpack.infra.sources.windowsevent.logAlias: 'logstash-event-windows-*'
xpack.infra.sources.windowsevent.fields.timestamp: 'myothertimestampfield'
xpack.infra.sources.windowsevent.fields.message: 'field1', 'field2', 'field3'
xpack.infra.sources.switchevent.logAlias: 'logstash-event-switch-*'
xpack.infra.sources.switchevent.fields.timestamp: 'othertimestampfield'
xpack.infra.sources.switchevent.fields.message: 'field1', 'field2'
Is it possible or planned to be able to use multiple logalias/timestamp/message depending the index?
It is definitely planned, but unfortunately not yet possible. Thanks for giving us some insights into your use-case.
Wow quick answer, I'm glad to hear that ! BTW the live view can be very useful when you need to troubleshot in live flows or problem with appliances.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.