Hello,
Is there a way to delete indices related to syslog messages with a specific severity?
For example if I would like to keel debug logs during 7 days but all others during 31 days? Is-it possible ?
Could we do the same with tags? For example logs with tag "application1' => keep logs during 7 days and logs with tag "application2" => keep logs during 31 days?
Thanks.
If you have data with different retention period, best practice is to put them into different indices. These can have a common prefix allowing them all to be addressed in e.g. Kibana. This allows you to use curator to manage retention period by deleting complete indices, which is much more efficient that using delete by query.
Curator manages complete indices and do can not be used to delete selected records from indices.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.