How to "tail" an ElasticSearch index in LogStash

cawoodm · March 8, 2019, 11:56am

We have all our logfile entries in a logs-* index and would like to tail it, choosing some special/error entries to push into another index issues-*.

How can we query ElasticSearch for all logs.* since time X where X is the last time we queried?

I imagine we'd need to persist the time we last queried in some way (file) and use this timestamp within an ES Query.

Of course there are workarounds: we could direct filebeat to send the logfile entries to logs-* and issues-*. We could also clone certain events we are sending to logs-* within logstash and send these to issues-*.

I just feel there should be a way to tail ES.

Wolfram_Haussig · March 8, 2019, 12:08pm

Hi Marc,

I think you could use aliases too: Aliases API | Elasticsearch Guide [8.11] | Elastic

POST /_aliases
{
    "actions" : [
        {
            "add" : {
                 "index" : "logs-*",
                 "alias" : "issues",
                 "filter" : { "term" : { "log.level" : "ERROR" } }
            }
        }
    ]
}

Then you could query this alias as:
GET errorlog/_search

Best regards
Wolfram

cawoodm · March 8, 2019, 12:31pm

That creates a view of the data I want but does not allow me to copy those docs into a separate index unless I do it daily/hourly for the previous day/hour. I really want to copy documents once and once only into a different index.

Topic		Replies	Views
Re-Index data from elasticsearch back to another elasticsearch using Logstash Logstash	1	336	March 20, 2019
Easy to hit Seach Queue number in setting for watching a time series log Elasticsearch elastic-stack-alerting	6	1875	July 6, 2017
Logstash output file Elasticsearch	6	695	July 5, 2017
Continuously copy specific documents to another index? Elasticsearch	9	1694	December 16, 2020
Is it possible to do a "tail" query on an index? (find the newest entries?) Elasticsearch	2	740	July 6, 2017

How to "tail" an ElasticSearch index in LogStash

Related topics