Hello,
I need to apply the grok filter in oldest logs, is it possible?
Because I need to creat new fields.
Thank you very much.
You mean you want to reprocess old logs that already have been stored in Elasticsearch? It's possible but it's a fairly involved process.
Yes this is that I want. How could I do it?
For example, I've stored my logs without filters, but now I need to create some fields, so I created some filters using grok. But I've been observed that the filter it's work just after the date that I applied the grok's filter.
Reprocess the old logs is the best way?
Thank you.
If you have the raw logs it's probably easier to delete what you currently have in ES and run all the old logs through Logstash again.
But if I don't have?
For example, in my Linux servers when the log file size is 1GB it overwrite the oldest rows.
Did you understand me?
Thank you.
Well, then you'll have to use what you have in Elasticsearch. If you have the raw message stored as a field in your events in ES you can probably set up a pipeline with an elasticsearch input, the filters you need to add extra fields, and an elasticsearch output.
Sorry, I didn't understand your explaination and how can I do this . 
Maybe someone else has time to explain this in detail. I unfortunately don't.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.