Hi! We are trying the Logstash ArcSight Module, and we are seeing it creates indexes like arcsight-yyyy.mm.dd, where yyyy-mm-dd is extracted from the deviceReceiveTime field of the CEF event.
Is there any way to configure it to index like arcsight-yyyy.mm.dd.hh, to have one index per hour per day?
We can't find the logstash output configuration, as it's embedded in the Module...
Why would you want to do that? How much data do you have being indexed per hour? Be aware that having lots of small indices and shards in the cluster is very inefficient.
Hi! Thanks for your quick answer, we expected aprox 50 GB per day, could be that with a daily index rotation will be enought, but we want also understand how Logstash ArcSight module works. Is there any way to tune it, outside the well know parameters documented?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.