I am a newbie to ELK, and this is very probably a n00b question.
I have set up ELK, and those are currently the indices that I have on my host:
curl 'http://localhost:9200/_cat/indices?v'
health status index uuid pri rep docs.count docs.deleted store.size pri.store.size
yellow open filebeat-2020.03.10 9vYa2M9QR1-sBMtDnIaekw 1 1 1666 0 839.7kb 839.7kb
yellow open logstash-2020.03.03-000001 035LbhSGRv-_yAW9UNV4Xw 1 1 2842 0 1.5mb 1.5mb
green open .kibana_task_manager_1 ca5hQQYIT62JKee4euSSHQ 1 0 2 2 20.8kb 20.8kb
green open .apm-agent-configuration MAAyG6-zSWWl61C_0ne43w 1 0 0 0 283b 283b
green open ilm-history-1-000001 JcOJ8kX5TIWcPd1kSRCy3w 1 0 27 0 34.3kb 34.3kb
yellow open filebeat-7.6.1-2020.03.10-000001 pvS64-dvSmekPbJNV8xZXQ 1 1 173561 0 45mb 45mb
green open .kibana_1 oQN_ZPreTaifBdHEbq6paQ 1 0 25 8 227.7kb 227.7kb
yellow open filebeat-2020.03.09 8hQ2yayeQuqanX8lRuVrKw 1 1 12363 0 7.1mb 7.1mb
I am using filebeat as you see, that sends data to logstash.
I do not understand where those indexes are configured . I thought is was in /etc/logstash/conf.d/logstash.conf, but it doesn't match... For example, my configuration states (see below) an index name of filebeat-DATE. But when I list my indexes, it turns out the index which is used is filebeat-7.6.1-2020.03.10-000001.
elasticsearch {
hosts => ["localhost:9200"]
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
}
- Can I safely delete the other filebeat indexes?
- How can I view the current content of a given index using CLI ? Is there a URL to grab for instance the last few records it got?
- Why isn't the name of my index
filebeat-2020...as specified by/etc/logstash/conf.d/logstash.conf?
Thanks for your help!
PS. I am using version 7.6.1 on Linux.