Index names including yyyy-mm-dd

gormanst · January 16, 2019, 2:27pm

I am new to elasticsearch and am trying to figure out index management. I index smallish documents continuously for a week. I would like the index names to include the date in their name along with a project specifier i.e.

foobar-yyyy-mm-dd

It doesn't appear to be a simple thing to do. Is this accomplished by using a template for foobar indexes and then alias all foobar indices to some umbrella term for searching? If this is correct than I assume I use curator to prune?

I just want to make sure I am not over complicating an otherwise simple thing.

Thank you for reading this and your thoughts.

sg

A_B · January 16, 2019, 2:31pm

Logstash and Filebeat will let you template the Elasticsearch index names. E.g. in my Logstash config

    index => "%{[@metadata][log_prefix]}-%{[@metadata][index]}-%{+YYYY.MM.dd}"

How do you ship your data to Elasticsearch?

gormanst · January 16, 2019, 2:34pm

If I understand "ship" correctly, I ingest data using java?

A_B · January 16, 2019, 2:35pm

Directly to Elasticsearch? You could put everything through Logstash and get index creation and naming "for free"

gormanst · January 16, 2019, 2:41pm

Hrm. That seems strange but remember I am new to elasticsearch. Can you give me a couple bread crumbs to follow? I use the java RestHighLevelClient to index. How do you "put" everything through logstash?

theuntergeek · January 16, 2019, 2:41pm

Curator would indeed be the tool of choice to prune.

A_B · January 16, 2019, 2:49pm

Adding Logstash to the mix is of course one more service to worry about. What you get is a service that can talk fluently with Elasticsearch, can load balance over several ES nodes and it will create and name the ES indices for you. You can also do more advanced stuff like enrich your logs as well.

As you are shipping directly to Elasticsearch your data has to be in JSON.

To run Logstash, configure a TCP or UDP input that accepts JSON. From the TCP input plugin docs

input {
  tcp {
    port => 12345
    codec => json
  }
}

The filter section would be just

filter {}

The output is Elasticsearch

output {

  elasticsearch {
    hosts => ["127.0.0.1:9200","127.0.0.2:9200"]
    index => "foo-%{+YYYY.MM.dd}"
  }

}

So, instead of RestHighLevelClient shipping to Elasticsearch, something like hostname:9200, you ship to logstashhost:12345

A_B · January 16, 2019, 2:53pm

You can read more here Logging directly to elasticsearch

gormanst · January 16, 2019, 2:53pm

thank you

dadoonet · January 16, 2019, 2:58pm

I'd not use logstash when the source of data is available from a Java application.

The index name is something you can easily compute in Java. There's no need IMO to add logstash.
But may be I'm missing something. What kind of data are you indexing @gormanst?

gormanst · January 16, 2019, 3:02pm

I am indexing small blocks of json data received from an outside application via REST. I make some minor transformations then index.

dadoonet · January 16, 2019, 3:41pm

So just compute the index name in your REST application.

gormanst · January 16, 2019, 3:57pm

That's kind of where my original question was headed. I just wanted to make sure I was not overly complicating things. So I should create a template with an alias (for searching) and programatically figure out that I want to index to foobar-yyyy-mm-dd. Finally, use Curator to prune off old data?

Again thanks for your thoughts on this.

dadoonet · January 16, 2019, 4:14pm

Exactly what I'd do.

system · February 13, 2019, 4:14pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.