Hello Guys, i've got the following set in my /logstash/conf.d/10-syslog-XXXXX.conf file:
output {
if [type] == "syslog" {
elasticsearch {
hosts => ["000.000.000.000"]
index => "logstash-vmw-000002"
I've also setup a Index Lifecycle Management for this index. It works somehow, in kibana i can see the new Index "logstash-vmw-000003" as a write Index and the aliases have been passed to it aswell. The Problem is, my Logstash Nodes still sent the Logs to the Index logstash-vmw-000002, so there are Logs in the new index. How do i have to setup the Index-Name in the conf.yml to let it adjust automatically?
Hi, thanks for your reply!
I've set the Alias in the Index-Template logstash-*
{
"logstash": {}
}
I changed the config file following your recommendations, the logs still get the deliver, if i open them up they tell me :
@timestamp Nov 13, 2019 @ 08:40:23.141 t@version 1 t _id aIy0Y24Bk3krkYz-y0R0 t _index logstash-vmw
Should i be bothered because it say "index: logstash-vmw" or is this ok cause the docs will still get sorted in the "logstash-vmw-00003" Index?
Thanks anyway, you helped me a lot!
EDIT:
Ok so now i have the problem, that the Doc count of my newest Index doesn't rise.
I can see the Logs in the Discovery Section, but the index is not changing in size or Doc Count...
Can i somehow tell my Logstash to send in to an Alias? Instead of static Index Name? Also if i now check my Indicies under "Index Management" i can see a logstash-vmw Index, which i never created...
Let's say you have logstash-vmw-00003 and your index alias is logstash-vmw then it works. If your alias is logstash- then you would have to use logstash-
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
