How to ingest old logs into slow storage and newer logs into fast storage

ManjaroBlack · August 31, 2020, 8:12pm

I am experimenting with the Elastic Stack on my laptop. I need to ingest a bunch of logs dating back a few years up to current time. I am using logstash to process the logs and send them to elasticsearch. I have limited space on my SSD but plenty of space on my HDD.

I would like to ingest the logs and allocate the indexes to either the SSD or HDD based on the timestamp of the logs, f.ex, if the logs are 2 weeks old or newer, they go to the SSD and if they are 2 weeks old or older, they go to the HDD. Is this possible?

warkolm · August 31, 2020, 9:33pm

It is, check out https://www.elastic.co/guide/en/elasticsearch/reference/current/shard-allocation-filtering.html

ManjaroBlack · September 1, 2020, 2:49pm

Thank you for your help.

Is this a setting that can be set at the time of index creation in logstash? Or does this have to be done manually after index creation?

ylasri · September 1, 2020, 3:19pm

You will need to have at laest 2 nodes,
1 node that will use SSD Storage and will be the hot node that receive the newest logs
1 node that will use HDD storage and will be the warm node that receive the old logs

warkolm · September 1, 2020, 8:23pm

You can do it ahead of time using index templates.

system · September 29, 2020, 8:23pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Output logs to host based on timestamp Logstash	8	382	September 28, 2020
Retiring indexes from SSDs to HDDs Elasticsearch	4	868	January 9, 2017
Elasticsearch on server with ssd and hdd disks Elasticsearch	2	1683	September 13, 2018
How to best use SSD & Spin Disk mixed machines? Elasticsearch	3	1259	July 6, 2017
Disk partitioning for Elasticsearch Elasticsearch	2	336	October 16, 2021

How to ingest old logs into slow storage and newer logs into fast storage

Related topics