Hello,
I'm shipping logs with logstash-forwarder and for one of my types I can see that its mainly indexing old data (mostly near the dead time), whcih results in not having events for the last four hours. Instead, it's entering old data first. I would like this to be configured somehow and to force it to index the newest data first, and then if theres nothing new - to index older data.
Here's my configuration block:
GW LOGS BLOCK
{ "paths": [ "/srv/logserver/data/2016/*/*/srv-*-gw0*/*.GW0*.GATEWAY*" ], "dead time": "100h", "fields": { "type": "applog" } },
What am i missing?