Extract specific log set from others indexed togheter

I want to know ihow can I extract/separate my nginx logs from an index where they are saved along with systemd logs and others (cron, fail2ban, etc)?
I have it indexed with the ident "nginx".
My point with it is be able to backup only the nginx logs, not all other logs.
I tryed with _reindex, but I don't understand well how to do it or even if it is posible. I also read about elasticsearch and kibana been squema on write, what means that if I want to change it I need rebuild all my environment.

Hi @necromancer (nice username), welcome to our community :wave:

For new documents you may want to look at the reroute processor that you can put in an ingest pipeline. Funny fact, the examples in the docs are exactly your use case :smile:

For existing documents you can "copy" your documents to a new index using _reindex and a query, check this example from the docs

Be sure to first create your new index with the appropriate mappings and settings.

(moving this thread to the Elasticsearch forum since there's nothing specific about Kibana here)

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.