Hi,
We're using the OSS version of the stack and are ingesting logs in the following way:
Syslog -> Logstash -> Elasticsearch
We want to utilize the Rollover API but we're having difficulty grasping how to implement it without ILM.
It's my understand that we can change the Elasticsearch output to point to a alias, instead of an index name.
What steps do i need to take to implement logstash to elasticsearch with rollover api capabilities?
In my mind it would look something like this:
- Create alias used for rollover
- Create a template that would set the correct amount of shards etc for the alias
- Change the logstash Elasticsearch output to the alias instead of the index
- Schedule a cron job which runs the rollover API with some conditions
- If the condition is met then a new index should be created and i want logstash to start writing to that index.
Is this correct?