Hi there,
I used to index logs with Logstash into time-based indices (logstash-YYYY.MM.DD). Time-based index names make administration easier on us.
We already use lifecycle management to pull the indices to slower nodes and delete the indices after a certain amount of time. Now I want to take advantage of rollover to decrease index size.
I looked in the Rollover documentation and also have a basic understanding, but could not quite grasp how to implement this in my case.
I have an index template set up for logstash-*. Included is an ILM-policy.
When trying to set up rollover in the ILM-policy in Kibana I get a prompt asking me for an "alias for rollover index". I suppose this is the alias that gets applied to the current write-to index?:
I would now want to enter some sort of pattern like "logstash-YYYY.MM.DD" to state my time-based index pattern, because Logstash shall always write to "logstash-[current-date]" even if in the backend indices are named logstash-[current-date]-00004.
Am I still on the right path?
BTW: This is how my Elasticsearch output in Logstash looks like:
elasticsearch {
id => "12341234"
hosts => ["192.168.1.2:9200"]
user => "my_admin_user"
password => "his_password"
ssl => "true"
ssl_certificate_verification => "false"
document_type => "_doc"
template_name => "logstash"
index => "logstash-%{+YYYY.MM.dd}"
}
Component versions:
- Logstash: 6.8.8 (need to upgrade soon)
- Elasticsearch: 7.9.0
- Kibana: 7.9.0