Hi there,
I have around 8-10 devices which are sending logs to logstash over syslog. I need to if I can have separate index created per dvice? like logstash-router1-, logstash-firewall-, logstash-nginx-* and so on?
What do I need to do to achieve the same? Rewrite separate templates or mappings? Pls advise.
If you have a hostname or a device type in the syslog message then you could make the index name refer to that.
index => "logstash-%{hostname}-%{+YYYY.MM.dd}"
Hey,
Thanks and how about mapping then? I guess that would be changed as well?
The fields in your indexes will be mapped according to index templates and, as a fallback, Elasticsearch's automapper. Depending on your mapping requirements you may or may not need different templates.
Well I am still lacking in templates and mappings 
and still looking for basic doc which could describe how and why to create templates?
And you've read the sections about mappings and index templates in the Elasticsearch documentation?
I would start with an index name that starts with logstash- (so it matches the default template) and not worry about templates until you find a problem that requires one.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.