Hello everyone,
I'm having issues with lifecycle policy.
Currently I'm receiving log from one windows server, logstash outputs it to elastic succesfully. When lifecycle begins it creates new index but keeps writing to old one. I want it to write to new index.
Here is my configurations;
Waiting for kind help,
When you use rollover you must always write to the rollover alias (winlogbeat) and not directly to the first index (winlogbeat-000001) as you are now.
I suppose my alias name is right but, what could I write for the index name ?
When you use rollover you write to the alias. If you do not, rollover can not switch indices behind the scenes, which is the whole point of rollover.
So should I rename my index (in output file) same with my alias ? (winlogbeat in this case)
Yes.
Thank you Christian_Dahlqvist!
If anyone else having the same issue,
My logstash output index name is "winlogbeat"
I defined rollover.index.name in index template as "winlogbeat"
Thing that fixed my problem after I changed my aliases is deleting alias on the index template. I've created first index manually with following command on DevConsole;
PUT winlogbeat-000001
{
"aliases": {
"winlogbeat": {
"is_write_index": true
}
}
}
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.